On the basis of no discernible evidence, Sherman is determined to believe that literally millions of Internet users who spoke out against online censorship—to say nothing of the scores of eminent constitutional scholars, network engineers, security specialists, and entrepreneurs—were little more than dupes of a few big tech companies.  This was a widely-condemned, lobbyist-scripted proposal whose political viability was so plainly purchased that Hollywood all but demanded a refund when it didn’t pass—yet in Sherman’s mind, incredibly, it was the immense popular backlash against this that “raised questions about how the democratic process functions in the digital age.”

There is a perverse logic to this: What Sherman has in mind is the familiar  “democratic process” where policy is ultimately crafted and debated behind closed doors by powerful institutional stakeholders.  Broader public involvement—should it become an unpleasant necessity—consists exclusively of being roused to enthusiasm or opposition, as necessary, by the stakeholders’ competing marketing campaigns. The defining principle of the modern Web—that users are not passive consumers of ideas, but the source of whatever value and creativity the platform enables—is alien to the model.

Unsurprisingly, Sherman’s op-ed doesn’t really read as though it’s aimed at the general public, but rather as a last desperate pitch over their heads to members of Congress: Pay no attention to the folks in front of the curtain! Since Sherman never takes seriously the possibility that opposition was grounded in well-informed concerns, it is little surprise that he makes scant attempt to seriously address them.

Instead, the piece is an extended exercise in stroking the wounded egos of legislators: You understood the severity of the online piracy problem, having diligently examined our fabricated statistics. You “studied the problem in all its dimensions, through multiple hearings”—only one of which actually concerned SOPA specifically, and all of which were transparently stacked with handpicked supporters of the legislation. Congress heard from Floyd Abrams, commissioned by the film lobby to give the legislation his constitutional seal of approval, but not from more than 100 eminent legal scholars who explained why it was an affront to the First Amendment.  Nor did they hear from the 83 respected network engineers, or the government’s own cybersecurity experts, who warned that it would interfere with efforts to secure the Internet’s Domain Name System against malicious hackers. Indeed, online opposition truly exploded after a session of the House Judiciary Committee where it became embarrassingly clear to the tech community how imperfectly legislators truly understood the network they were regulating, in no small part because the bill’s sponsors had steadfastly resisted holding a hearing with real technical experts. When Rep. Darrell Issa finally scheduled such a hearing, SOPA boosters rapidly retreated on the previously non-negotiable question of DNS blocking, perhaps because they realized how poorly it would reflect on their own process.

What, then, is Sherman’s evidence that opponents were misinformed?  Apparently because they thought a system requiring ISPs to block access to entire web domains—including protected speech along with copyright infringing content—and forcing search engines to redact their results might plausibly be described as “censorship.” Of course, it is so glaringly obvious that this is censorship that Sherman can’t quite bring himself to describe it in literal terms, falling back instead on strained physical analogies and the strange premise that censorship isn’t censorship if you only intend to block bad speech. On this definition, I suppose, censorship only occurs when the authorities approve of the information they are demanding be filtered out.

Beyond that, there’s precious little effort to substantiate the claim that companies opposed to SOPA “drowned out” accurate information by blasting their users with propaganda.  Indeed, the media companies backing the legislation seemed conspicuously uninterested in doing much of anything to inform their own enormous audiences about the legislation—perhaps because they harbored no illusions about how ordinary people would react once they started looking into the proposals. Like Sherman, they weren’t really seeking better informed public participation; they preferred not to have to worry about public participation at all. That suited the copyright lobbies quite nicely for decades as they steamrolled through one bill after another aimed at impoverishing the public domain and swelling corporate coffers, with no compensating benefit in additional creative output.

Hence this editorial, in which Sherman does his best Grima Wormtongue impression, reassuring members of Congress that their wisdom (fed by his solicitous guidance) is unimpeachable, and that any complaints from the masses—even masses taking their cues from legal and technical experts—can only demonstrate the enemy’s willingness to resort to lies and manipulation.  It’s an appealing pitch because it ties into the fiction most legislators will find psychologically necessary to do their jobs: that a few hundred sufficiently wise men and women can aspire to such universal competence that they’re able to make rules on every topic under the sun, however complex, for a vast nation of millions. But uncomfortable as it must be to contemplate that this may not be true, such humility—as Socrates first taught us—is the beginning of true wisdom.

SOPA’s Last Gasp: Was the Internet Misinformed? is a post from Cato @ Liberty - Cato Institute Blog

As I noted on Friday, the seizure of popular cyberlocker Megaupload demonstrates that, even without controversial new legislation, our government already has extraordinarily broad powers to take down U.S.-registered websites (including any site in the .com and .org domains) before anyone has been tried for illegal conduct, let alone convicted. While the evidence presented in the indictment charging Megaupload’s executives with criminal racketeering and copyright infringement certainly seems damning, I also worried about the broader chilling effect such seizures could have on cloud storage services generally.

It didn’t take long for those effects to become apparent. The cyberlocker Filesonic has now disabled file sharing functionality: Users can still upload files for personal storage, but can’t create public links to enable others to access those files. (Though I’m not sure what prevents someone from simply creating a dummy account, uploading files, and then publicly posting the login information.) Another cyberlocker, Uploaded.to, is just blocking all traffic from U.S. Internet addresses, though it’s not at all clear how much legal protection that’s likely to afford them. You can hardly blame them for being skittish: The Megaupload indictment suggests that the U.S. government considers a wide array of cyberlocker business practices to be ipso facto evidence of criminal intentions, even though there are arguably legitimate reasons for many of them. Yet the government doesn’t think it has to wait for a trial, or give the folks who run a site an opportunity to explain their practices, before seizing an entire domain—which would be an effective death sentence for many startups.

If you think all cyberlockers are nothing more than piracy tools, and there’s no legitimate reason to make use of cloud storage for anything but personal backups, this might sound like an entirely healthy development. It’s a little more worrying to those of us who see many valid reasons that law abiding individuals—even those who lack contracts with major record labels and movie studios, or the funds and tech savvy to run their own servers—might want to share large files with friends and colleagues, or distribute them to the general public.

To be sure, such services aren’t going to vanish entirely. Established corporations like Google have sophisticated filter algorithms that can help identify copyrighted content—though those are trivially defeated by file compression and encryption—and large, well paid legal teams to handle copyright compliance and fend off lawsuits, like the one Google’s own YouTube continues to fight with content behemoth Viacom. The question is whether these are the only companies we want offering such services. Is the market for cloud-based platforms that enable sharing (which is one of the big selling points of cloud computing) a market we’re prepared to see effectively closed off to startups  that can’t preemptively police every user-uploaded file to Hollywood’s satisfaction? Because that is the predictable effect of a regulatory environment where investors know a nascent site can be summarily yanked offline by a district judge who thinks a Tumblr is some sort of gymnastics aficionado.

If you’re only thinking about current, known uses of the Internet, this might not seem like that big a deal: Why do we need lots of different platforms for sharing large files? But then, just a few years ago it was hard to envision why we might want a platform for sharing streams of 140-character messages (“Just a bunch of people gabbing about what they had for lunch, ho-ho-ho!”) or a platform where anyone, not just Professional Content Creators, could upload short videos (“Amateur videos? Sounds like an excuse to steal movies!”) or half the other technologies that are so profoundly shaping 21st century life.

The last innovation is always safe. That’s why it’s easy to claim concrete examples of the harm regulation might do are hyperbolic fearmongering: Nobody’s going to shut down YouTube or Twitter now, because we’ve already seen the incredible value creation they enable, even if they also make it a bit easier to infringe copyrights. And anyway, the success stories eventually get big enough to afford their own fancy lawyers. It’s the next platform that we risk strangling in the cradle, because every new medium starts out recapitulating old media content before it becomes truly generative. Early radio is full of people reading newspapers and books out loud. Early TV and film looks like what you get when someone points a camera at a stage play.

File lockers still look like nothing but piracy tools to a lot of people, because most of us aren’t yet generating and sharing gigabytes worth of content on a daily basis. But it doesn’t take a whole lot of imagination to imagine a world where that’s not at all the case, a world where cheap, ubiquitous, powerful computing and rising bandwidth and falling storage costs make collaborative creation of high definition sound, video, and—who knows—maybe entire 3D environments a nigh universal recreational activity. (Like TV has been for the last couple generations, only with fewer dead brain cells.)

That world can be run by Google and Sony and a few other behemoths capable of negotiating byzantine licensing deals (and filtering protocols), with incumbents ill-disposed to see the value in anything that isn’t easily shoehorned into their existing business models. Or we can have a more dynamic, open world where someone with a cool idea for a platform can give it a try without spending more money on lawyers than servers first. The interesting, important question isn’t—as regulatory advocates want to make it—whether Megaupload should go out of business. Odds are it will and should, after a proper trial. It isn’t even whether sites like Rapidshare or Hotfile ought to follow suit. The interesting, important question is whether we’re going to have a legal climate that’s capable of giving rise to the second kind of cultural ecosystem, or one that’s only hospitable to the first kind.

The Megaupload Chilling Effects Hit is a post from Cato @ Liberty - Cato Institute Blog

Today’s unanimous Supreme Court ruling in United States v. Jones makes it clear that government installation and use of GPS tracking devices is a Fourth Amendment “search”—but it may be the concurring opinions, rather than Justice Scalia’s majority opinion, that are most significant for Americans’ privacy in the 21st century.

As Jim Harper notes, Justice Scalia ruled on the relatively narrow grounds that installing the tracking device involved physical intrusion on the suspect’s property, triggering Fourth Amendment protections.  Yet as Justices Alito and Sotomayor observe in separate concurrences—and as I pointed out in a previous post on this case—there are plenty of means for tracking a target’s location in public that don’t require such intrusion. One of the most popular with law enforcement is cell-phone tracking, either by means of a court order demanding records from the phone company directly, or through the use of devices known as “Stingrays” or “Triggerfish.” There’s also the use of license-plate recognition cameras, and even aerial surveillance drones.  The broader question that’s crucial to determining the extent of our privacy rights in the long term, then, is the one Scalia’s opinion pointedly declines to reach: Does prolonged, technologically-assisted location surveillance impinge on a citizen’s “reasonable expectation of privacy,” even when it does not require physical intrusion?

Justice Alito, joined by three other justices, says that it can indeed—and in this case, did. The placement of a tiny device on the undercarriage of a car parked in a public place, Alito argues, does not sufficiently “interfere” with a suspect’s property interests to constitute a Fourth Amendment “seizure,” nor is it a “search” until police activate and begin monitoring the device. If the police had simply slipped a business card into the tire, after all, the physical intrusion would be too minor in itself to count as an actionable trespass. Instead, Alito insists, it is necessary to proceed to the harder question of whether such intensive location monitoring violates our reasonable social expectations of privacy, even as we move around in public. Though the concurrence is reluctant to say exactly when that expectation is breached, Alito notes that round-the-clock surveillance over a full month would be so costly to carry out by conventional physical observation that it exceeds what reasonable people expect—and so triggers the Fourth Amendment’s warrant requirement.

Perhaps most intriguing is Sotomayor’s brief concurrence. For Sotomayor, either the property rationale relied on by Scalia or the “expectations” analysis deployed by Alito would suffice to find a Fourth Amendment violation here. That’s crucial, because it means that there are at least five votes on the current Court for the view that we have some Fourth Amendment protection against intensive, high-tech location tracking, even in public, and even when the method doesn’t require physical intrusion. Yet even more important than that may be this passage:

More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. [...] This approach is ill suited to the digital age, in which people reveal a greatdeal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers. [...] But whatever the societal expectations, they can attain constitutionally protectedstatus only if our Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy. I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection.

This is a pretty big deal. Fourth Amendment scholars have been warning for decades—and with increasing alarm—that modern communications technology could turn constitutional privacy protections into an empty formality if we’re regarded as waiving those protections whenever we “expose” information to a third party. It is inherent to the nature of the Internet and mobile telecommunications, after all, that almost everything we do online—and, increasingly, much that we do offline as well—leaves a trace in the vast databases of one corporation or another.

Sotomayor’s concurrence signals a recognition that we need to move beyond what privacy scholar Daniel Solove has called “The Secrecy Paradigm,” which assumes that whatever is not totally secret (or very nearly so) is effectively “public.” In other words, if your Internet provider has a record of every Web site you visit, there’s no invasion of privacy when the government decides to have a look at the list. At least one Justice, evidently, recognizes that this is an indefensible inference—and one hopes she’s not alone.

“Jones”ing for a Fourth Amendment Upgrade is a post from Cato @ Liberty - Cato Institute Blog

Online activists were still busy celebrating a successful day of protest against proposed (and now shelved) Internet censorship legislation when the Justice Department pulled the popular cyberlocker site Megaupload offline Thursday, and indicted its owners on charges of criminal copyright infringement. It was a serendipitously timed demonstration of two important facts.

First, the U.S. legal system is perfectly capable of reaching criminal suspects overseas. Megaupload is incorporated in Hong Kong, and its CEO was arrested (along with three employees) in New Zealand. That’s significant because supporters of laws like the Stop Online Piracy Act (SOPA) and PROTECT-IP Act (PIPA) typically claim they’re helpless to do anything about overseas sites by more conventional means, necessitating aggressive new enforcement powers with streamlined hearings that give short shrift to due process. Now, if the people behind Megaupload are, in fact, guilty of criminal activity—and the indictment certainly looks damning—the government will have the opportunity to prove it beyond a reasonable doubt before a jury, which will also get to hear any exculpatory facts or arguments the defendants are able to offer. It can be a slow process, but it’s also how we’re supposed to do things in the United States: we don’t just issue orders branding people or sites as “rogues,” we convict them.

Second, if you’re worried about the government taking down U.S.-registered sites, which include any site in the .com and .org domains, wherever their servers might be located, then SOPA and PIPA aren’t really what you should be concerned about: the government already has that power under the PRO-IP Act of 2008. There are good reasons SOPA and PIPA attracted more attention: Instead of “seizing” domains directly at the registry, they would have imposed blocking and filtering obligations on thousands of ISPs and search engines, creating a whole host of technological and security problems. There was also the private right of action, which seemed more susceptible to abuse by overzealous copyright owners who were able to find a friendly judge. But the central power of the government to shut down web domains is already there in PRO-IP, and has been used to seize hundreds of sites already—wrongfully in at least some cases. Incidentally, those absurdly inflated phony statistics I wrote about earlier this month—the ones the Government Accountability Office has debunked, which even the content industries have finally stopped using—were heavily cited as evidence for why PRO-IP was needed, featuring prominently in press releases by the bill’s authors.

The owners of Megaupload don’t seem like particularly sympathetic characters, but the abrupt seizure of the domain before trial ought to give us a bit of pause. The site was plainly used to enable an enormous amount of copyright infringement—and judging by the indictment, the site’s operators appear to not only have known about this, but encouraged it in order to bolster their ad revenues. But that doesn’t mean that’s all the site was used for. Plenty of people made legitimate use of the site for cloud storage, or to (legally) share large files with friends, family, or colleagues. Indeed, no small number of major-label recording artists declared in song  that they used the site for just such purposes. Journalist Adam Penenberg tweeted this morning that he was in the habit of using the site to share recordings of his interviews with a transcription service. If you Google around, of course, you’ll mostly see evidence of the more illicit uses—but that’s because people don’t post a link publicly on the Internet when they’re trying to share a file in a more limited way. Taking the entire domain down has affected all those legitimate uses along with the illicit ones.

Civil forfeiture laws have, frankly, always been subject to abuse. But when a suspected drug dealer’s car is seized, the effects are at least limited to the suspect and his family. The de facto seizure of an entire online platform, by contrast, affects all the users of that site, including many thousands who were using it to engage in legitimate, protected speech. And precisely because the non-pirate uses are less likely to involve public links, it’s extremely hard to know in advance exactly how much collateral damage is inflicted on legitimate activity by the seizure. In this specific case, I’d wager the proportion of illicit to legitimate content was quite high, but I can guarantee there’s also a whole lot of copyright-infringing videos posted to YouTube at any given instant as well; most people, presumably, recognize that shutting down YouTube in order to disable access to those videos would not be worth the enormous cost to protected speech.

There are also some troubling arguments offered by the government in the indictment. They suggest, for instance, that Megaupload shouldn’t be eligible for “safe harbor” under the Digital Millennium Copyright Act because though the firm would disable specific URLs linking to “infringing content” upon notice by copyright owners, it did not remove the underlying file entirely. (Megaupload was designed, like many other cloud storage services, to only keep one underlying copy of a file that many different users had uploaded, though it would create a different virtual address for each user’s “own” instance of the file.)  This may sound like shameless flouting of the DMCA takedown process, but it’s a bit more complicated than that, because in reality “infringing content” is something of a misnomer. Content is content. It’s what you do with it that infringes copyright.

Just about everyone’s hard drive these days is full of copyrighted music in MP3 format.  But it isn’t necessarily “infringing content.” In my case, it’s music I’ve downloaded from legal venues like the iTunes store or ripped from CDs I purchased back when one still bought music in shiny-plastic-disc form. Many people will put their legal MP3 files in a private Dropbox folder, or some other cloud storage service, so they can access the music from the office as well as their home desktops, or from their networked mobile devices. Creating a public link to those files, and distributing them to anyone on the Internet who wants them, would clearly be copyright infringement.  But that doesn’t mean the files themselves are suddenly “infringing content,” and it doesn’t mean that every user should lose his own access to the same files because other users tried to publicly distribute them.

This is another reason the takedown-before-trial model is disturbing. Again, there’s strong evidence in the indictment that Megaupload’s conduct here was anything but innocent. But now imagine some other cloud storage site that comes under the crosshairs of the government or content industries. As I suggest above, they might have very good reason for only disabling specific, publicly distributed links to a copyrighted file in response to a takedown notice, rather than cutting off access to every user who has remotely stored the file, regardless of how they’re using it. At a trial, they’d get to explain that.  If the site is shut down before its operators have an opportunity to even make the argument … well, that doesn’t bode well for investment in innovative cloud services.

FBI Reminds Us Government Already Has MegaPower to Take Down Websites is a post from Cato @ Liberty - Cato Institute Blog

With popular sites all over the Internet “going dark” to protest well-intentioned but ill-considered antipiracy legislation, the Stop Online Piracy Act and PROTECT-IP Act are shedding supporters faster than Anthony Weiner on a Twitter spree. But as I explain in a Cato podcast today, neither is dead yet: Rep. Lamar Smith has pledged to continue marking up SOPA next month, and PIPA is still set for a cloture vote next week.

In a huge about-face, given their prior intransigence on this point, both have said they’re prepared to remove, at least temporarily, an onerous and controversial provision to require DNS blocking of accused “rogue sites,” which is an encouraging sign. But if DNS blocking was the worst piracy-fighting proposal on the table, it’s hardly the only one.

The Justice Department and private copyright owners can still seek to have entire foreign sites branded as infringers, triggering an array of remedies that would still deter technological investment and innovation, and still impose serious burdens on American companies and ordinary Internet users. Contrary to the claims of SOPA and PIPA supporters, copyright holders have often been perfectly able to sue the foreign “rogue sites” they cite as evidence new legislation is needed… the problem is that sometimes, they lose. Instead of all that messy litigation, SOPA and PIPA would establish one-sided hearing mechanism that mocks true due process. Any site a single friendly judge deems “rogue” would still be starved of advertising and subscription revenue. American search engines and other “information location tools” would still have to filter their content to redact any links to the shunned site. As Wikileaks has learned, repressive regimes have long known, and the Supreme Court acknowledged in Citizens United, economic regulation can silence speech (and run afoul of the First Amendment) as effectively as overt censorship.

That means we’re bound to see many more stories like the one entrepreneur Dmitri Shapiro tells: His innovative company Veoh won repeated copyright lawsuits filed by movie studios, but was still killed off by the cost of litigation. SOPA and PIPA will ensure that future lawsuit targets lack the means to fight back—which almost certainly means they’ll never get off the ground in the first place.

Such fears are hardly “hypothetical,” as Rep. Smith likes to argue, given industry’s ugly history of abusing copyright law to squelch competition and criticism. Remember, at the end of the day, that the market position of major studios and record labels is very much bound up with their control of traditional distribution channels.  Artists don’t need to be signed to a major label in order to record a great album—but they’re key to marketing the album and getting it into stores.

Any large platform that gives creators an easy way to reach audiences directly, or gives consumers easier mobile access to their legal content, will inevitably do two things: It will enable some amount of copyright infringement, because that’s what digital communications technologies tend to do, and it will cut out incumbent middlemen by circumventing their distribution channels. Industry complains loudly (and often rather dishonestly) about the first effect; the more serious long term threat to their business models is the second.

We’ve already seen a decade of futile efforts to stop unauthorized circulation of copyrighted materials online by “cracking down” ever harder. More new regulations aren’t likely to do the job—but the collateral damage they inflict will keep rising. As a recent and very thorough study by the Social Science Research Council argues, and Netflix has already shown within the United States, the most effective remedy for piracy is to make content easily available online at an attractive price.  Since it’s become a “political fact” that we Must Do Something Right Now to reduce online infringement, why not try that?

What’s Next for SOPA and PIPA? is a post from Cato @ Liberty - Cato Institute Blog

Earlier this month, I detailed at some length why claims about the purported economic harms of piracy, offered by supporters of the Stop Online Piracy Act (SOPA) and PROTECT-IP Act (PIPA), ought to be treated with much more skepticism than they generally get from journalists and policymakers.  My own view is that this ought to be rather secondary to the policy discussion: SOPA and PIPA would be ineffective mechanisms for addressing the problem, and a terrible idea for many other reasons, even if the numbers were exactly right. No matter how bad last season’s crops were, witch burnings are a poor policy response.  Fortunately, legislators finally seem to be cottoning on to this: SOPA now appears to be on ice for the time being, and PIPA’s own sponsors are having second thoughts about mucking with the Internet’s Domain Name System.

That said, I remain a bit amazed that it’s become an indisputable premise in Washington that there’s an enormous piracy problem, that it’s having a devastating  impact on U.S. content industries, and that some kind of aggressive new legislation is needed tout suite to stanch the bleeding. Despite the fact that the Government Accountability Office recently concluded that it is “difficult, if not impossible, to quantify the net effect of counterfeiting and piracy on the economy as a whole,” our legislative class has somehow determined that—among all the dire challenges now facing the United States—this is an urgent priority. Obviously, there’s quite a lot of copyrighted material circulating on the Internet without authorization, and other things equal, one would like to see less of it. But does the best available evidence show that this is inflicting such catastrophic economic harm—that it is depressing so much output, and destroying so many jobs—that Congress has no option but to Do Something immediately? Bearing the GAO’s warning in mind, the data we do have doesn’t remotely seem to justify the DEFCON One rhetoric that now appears to be obligatory on the Hill.

The International Intellectual Property Alliance—a kind of meta-trade association for all the content industries, and a zealous prophet of the piracy apocalypse, released a report back in November meant to establish that copyright industries are so economically valuable that they merit more vigorous government protection. But it actually paints a picture of industries that, far from being “killed” by piracy, are already weathering a harsh economic climate better than most, and have far outperformed the overall U.S. economy through the current recession.  The “core copyright industries” have, unsurprisingly, shed some jobs over the past few years, but again, compared with the rest of the economy, employment seems to have held relatively stable at a time when you might expect cash-strapped consumers to be turning to piracy to save money.

Since the core function of copyright is to incentivize the production of creative works, it’s also worth looking for signs of declining output associated with filesharing. Empirically, it’s surprisingly hard to find an effect. Rather, a recent survey study by Felix Oberholzer-Gee of the Harvard Business School concluded that “data on the supply of new works are consistent with the argument that file sharing did not discourage authors and publishers” from producing more works, at least in the U.S. market.

So, for instance, Nielsen SoundScan data shows new album releases stood at 35,516 in 2000, peaked at 106,000 in 2008, and (amidst a general recession) fell back to mid-decade levels of about 75,000 for 2010. That’s against a general background of falling sales since 2004—mostly explained by factors unrelated to piracy—which finally seems to have reversed in 2011. The actual picture is probably somewhat better than that, because SoundScan data are markedly incomplete when it comes to the releases by indie artists who’ve benefited most from the rise of digital distribution.

If we look at movies, the numbers compiled by the industry statistics site Box Office Mojo show an average of 558 releases from American studios over the past decade, which rises to 578 if you focus on just the past five years. The average for the previous decade—before illicit movie downloads were even an option on most people’s radar—is 472 releases per year. (As we learn from a recent Congressional Research Service report, it’s weirdly hard to detect a strong overall correlation between output and employment in the motion picture industry, which actually fell slightly from 1998 to 2008, even as profits and CEO pay soared. One reason the growing trend in recent decades for “Hollywood” features to actually be produced in Canada or Australia.)

That’s all very nice, one might object, but wouldn’t these heartening numbers be even higher if labels and studios could recapture some of the revenue lost to illicit downloads? Well, they surely might—but it’s not nearly as clear as you’d think.

One reason is that they already are recapturing much of that revenue through “complementary” purchases. As Oberholzer-Gee observes, recording industry numbers show large increases in concert revenues corresponding to the drop in recorded music sales. That suggests that, as people discover new artists by sampling downloaded albums online, they’re shifting consumption within the sector to live performances. In other words, people have a roughly constant “music budget,” and what they don’t spend on the albums they’ve downloaded gets spent on seeing that new band they discovered.  For the firms that specifically make their money from the sale of recordings, that may seem like cold comfort, but if we’re concerned with the music industry as a whole, it’s a wash. Something similar might occur with respect to purchases of merchandise based on licensed film properties.

Another factor is that, notwithstanding projections of a “long tail” effect resulting from lower search and distribution costs in the digital era, most entertainment industries continue to operate on a “tournament” or “lottery” model, where a few hits generate jackpot revenues, sufficient to make up for losses on the majority of new products.  Unsurprisingly, the most heavily pirated movies each year tend to be the ones that are also highly successful at the box office and in DVD sales, with similar patterns in album downloads. In other words, bleeding revenue to piracy is going to be a problem to the extent that your product is a hit, in a market where the core uncertainty about this crucial fact (at the time when the decision whether to greenlight production is made) looms a lot larger than the marginal loss from illicit downloads if you are successful.

It’s a tricky but more or less tractable problem to estimate roughly how many full-time jobs you’ll need regionally to support one additional $150 million movie production next year. It’s a totally different question how aggregate sectoral employment in a volatile and evolving industry changes based on investor responses to a $150 million across-the-board drop in the size of the total film jackpot, especially given that arcane financial arrangements are one place Hollywood does show a genius for constantly adapting its business model. If you want to know how many people are getting laid off when McDonald’s revenues drop, it makes a difference whether it’s each of 13,000 franchises earning $100 less per year, or one franchise earning $1.3 million less, even though the total reduction is the same.

Finally, more demand for content being captured by the content industries is not always the same thing as demand for more content, in the sense of “a greater variety of output.” I noted earlier that the past few years have seen a significant spike in the number of movie titles released annually. But as the Los Angeles Times reported in 2008, studio executives soon began complaining about a “glut” of new movies, many of which were targeted at the same demographics, and therefore cannibalizing their own audiences. As one executive suggested, that meant that (at least in a market dominated by a few huge distributors) releasing fewer titles could yield higher profits—and, indeed, the number of titles released in the following two years dropped back to mid-decade levels. The key point here is that shifting some portion of the pirate audience to some form of legal viewing doesn’t necessarily change this basic calculus, because there’s an upper bound to the number of hours most people are going to spend watching (say) racing movies, whether they’re paying for the privilege or not. Rising demand can just as easily, for instance, bid up star salaries for a fixed number of films.

The point here isn’t that piracy by American consumers is somehow completely independent from output or employment rates in the content industries—though, again, that’s not at all the same thing as the overall U.S. employment rate. Obviously, at some level it has to have some effect. But the link is, to use the technical economic term, weirder than in many other sectors of the economy. In many industries, the relationship between consumer spending and job creation is relatively straightforward. If demand for widgets or restaurant meals rises, satisfying that demand requires a roughly linear increase in widget factories and restaurants, in hiring of widget-makers and cooks and waiters, and in purchases of the raw material inputs for those goods. Distribution of copyrighted content—and in particular digital distribution over the Internet—is a bit more complicated, for precisely the same reason piracy is an issue: once the first copy of a work has been created, an unlimited number of additional units (of the digital product) can be produced at effectively zero cost.

Let’s imagine, implausibly, that a measure  like SOPA did manage to reduce online piracy by U.S. consumers by some meaningful amount. A small potion of that reduction, the minority of downloads representing legal purchases displaced by file sharing, would translate into sales for the content industries. What form would these take? It seems reasonable to suppose that the majority of people who were previously getting their music and movies from The Pirate Bay are not typically lining up to buy shiny plastic discs at Wal-Mart. Rather, they’re probably disproportionately displacing legal digital downloads from venues like iTunes and Amazon, or subscription services like Netflix and Spotify, which are pretty clearly where the overall market is quickly going anyway.  (Apparently, literal thieves don’t even bother stealing physical media anymore.) For movies, there’s probably also some displacement of theatrical ticket sales, though as the theatrical experience is in many ways a distinct good, it’s hard to say how much substitution it’s reasonable to expect.

In the very short term, increased legal purchases of digital content wouldn’t seem likely to generate many additional jobs. If spending in the physical retail sector jumps 20 percent, shops need to hire more clerks, and their suppliers more manufacturing workers, to meet the increased demand. If spending in the iTunes store jumps 20 percent, Apple probably needs to pay a few bucks more for bandwidth and electricity, but basically everyone just gets to smile and pocket the extra profit. The jobs effects estimates we’re seeing tossed around, however, are coming from a 2007 study that would have had to employ, at the most recent, adjustments made several years before that to the benchmark multipliers the Bureau of Economic Analysis developed in 2002. Even leaving aside its many other problems, then, the job impact estimates in that study would have been largely based on legacy assumptions from a brick-and-mortar economy. (The loss estimates relied on would also, necessarily, fail to account for the recent rise of popular, legal streaming services that have likely lured many consumers back from the pirate market. There is, alas, no very good data here, but I’d wager Hulu and Netflix have done exponentially more to reduce piracy losses than enforcement crackdowns ever will.) In any event, you’d expect the most immediate effect of consumer spending shifts from widgets and restaurants to digital downloads would be, if anything, fewer net jobs.  The output and employment effects, rather, would show up in the longer term as lower returns reduce incentives to produce new content—and hire the workers needed to support that production.  For some of the reasons discussed above, though, empirically there’s just not much evidence for a dramatic effect of this kind.

No doubt piracy is costing the content industries something—or they wouldn’t be throwing so much money at Congress in support of this kind of legislation. If we could wave a magic wand and have less piracy, obviously that would be good.  But in the real world, where enforcement has direct costs to the taxpayer, regulation has costs on the industries it burdens, and the reduction in piracy they’re likely to produce is very small, it seems important to point out that the credible evidence for the magnitude of the harm is fairly thin. As a rough analogy, since antipiracy crusaders are fond of equating filesharing with shoplifting: suppose the CEO of Wal-Mart came to Congress demanding a $50 million program to deploy FBI agents to frisk suspicious-looking teens in towns near Wal-Marts. A lawmaker might, without for one instant doubting that shoplifiting is a bad thing, question whether this is really the optimal use of federal law enforcement resources. The CEO indignantly points out that shoplifting kills one million adorable towheaded orphans each year. The proof is right here in this study by the Wal-Mart Institute for Anti-Shoplifting Studies. The study sources this dramatic claim to a newspaper article, which quotes the CEO of Wal-Mart asserting (on the basis of private data you can’t see) that shoplifting kills hundreds of orphans annually. And as a footnote explains, it seemed prudent to round up to a million. I wish this were just a joke, but as readers of my previous post will recognize, that’s literally about the level of evidence we’re dealing with here.

In short, piracy is certainly one problem in a world filled with problems. But politicians and journalists seem to have been persuaded to take it largely on faith that it’s a uniquely dire and pressing problem that demands dramatic remedies with little time for deliberation.  On the data available so far, though, reports of the death of the industry seem much exaggerated.

Internet Regulation & the Economics of Piracy is a post from Cato @ Liberty - Cato Institute Blog

I’ve yet to encounter a technically clueful person who believes the Stop Online Piracy Act will actually do anything to meaningfully reduce—let alone “stop”—online piracy, and so I haven’t bothered writing much about the absurd numbers the bill’s supporters routinely bandy about in hopes of persuading lawmakers that SOPA will be an economic boon and create zillions of jobs. If the proposed solution just won’t work, after all, why bother quibbling about the magnitude of the problem? But then I saw the very astute David Carr’s otherwise excellent column on SOPA’s pitfalls, which took those inflated numbers more or less as gospel. If only because I’m offended to see bad data invoked so routinely and brazenly, on general principle, it’s important to try to set the record straight. The movie and music recording industry have gotten away with using statistics that don’t stand up to the most minimal scrutiny, over and over, for years, to hoodwink both Congress and the general public. Wherever you come down on any particular piece of legislation, this is not how policy should get made in a democracy, and it’s high time they were shamed into cutting it out.

The bogus numbers Carr cites—which I’ll get to in a moment—actually represent a substantial retreat from even more ludicrous statistics the copyright industries long peddled. In my previous life as the Washington editor for the technology news site Ars Technica, I became curious about two implausible sounding claims I kept seeing made over and over—and repeated by prominent U.S. Senators!—in support of more aggressive antipiracy efforts.  Intellectual property infringement was supposedly costing the U.S. economy $200–250 billion per year, and had killed 750,000 American jobs. That certainly sounded dire, but those numbers looked suspiciously high, and I was having trouble figuring out exactly where they had originated. I did finally run them down, and wrote up the results of my investigation in a long piece for Ars. Read the whole thing for the full, farcical story, but here’s the upshot: The $200–250 billion number had originated in a 1991 sidebar in Forbes, but it was not a measurement of the cost of “piracy” to the U.S. economy. It was an unsourced estimate of the total size of the global market in counterfeit goods. Beyond the obvious fact that these numbers are decades old, counterfeiting of physical goods imported in bulk and sold by domestic retail distributors is, rather obviously, a totally different phenomenon with different policy implications from the problem of illicit individual consumer downloads of movies, music, and software. The 750,000 jobs number had originated in a 1986 speech (yes, 1986) by the secretary of commerce estimating that counterfeiting could cost the United States “anywhere from 130,000 to 750,000″ jobs. Nobody in the Commerce Department was able to identify where those figures had come from.

These are the numbers that were driving U.S. copyright policy as recently as 2008—and I’m still seeing them repeated in “fact sheets” circulated by SOPA boosters.  Finally, in 2010, the Government Accountability Office released a report noting that these figures “cannot be substantiated or traced back to an underlying data source or methodology.” Now, if a single journalist could discover as much with a few days work, minimal due diligence should have enabled highly paid lobbyists to arrive at the same conclusion. The only way to explain the longevity of these figures, if we charitably rule out deliberate deception, is to infer that the people repeating them simply did not care whether what they were saying was true. If I were a legislator, I would find this more than a little insulting

As Carr’s piece suggests, SOPA’s corporate backers have fallen back on new numbers, but they’re still entirely bogus:

The Motion Picture Association of America cites figures saying that piracy costs the United States $58 billion annually. Mark Elliot, an executive from the U.S. Chamber of Commerce, said in a letter to The New York Times that such piracy threatened 19 million American jobs

Only $58 billion! We’re making progress! So where does that figure come from? The source here is a paper released by the Institute for Policy Innovation, and authored by one Stephen Siwek, an MBA and principal of a consulting firm called Economists Incorporated that produces economic analysis for hire on behalf of (among others) businesses seeking to influence policy makers. That does not, in itself, invalidate the research, but we should at least begin with the recognition that we are not dealing here with impartial academic studies produced by a university or government research agency.

What does invalidate the “research” is the inappropriate use of “multiplier” effects to double—and triple—count loss estimates that were dubious to begin with. As the GAO report notes in its typically understated fashion:

Most of the experts we interviewed were reluctant to use economic multipliers to calculate losses from counterfeiting because this methodology was developed to look at a one-time change in output and employment.

In other words, Siwek is taking a method that’s useful for analyzing where in the economy we will likely see the effects of demand shifts, and pretending that it somehow reflects aggregate economic losses. As my colleague Tim Lee has pointed out, this is Bastiat’s Broken Window Fallacy on steroids:

[I]n IPI-land, when a movie studio makes $10 selling a DVD to a Canadian, and then gives $7 to the company that manufactured the DVD and $2 to the guy who shipped it to Canada, society has benefited by $10+$7+$2=$19. Yet some simple math shows that this is nonsense: the studio is $1 richer, the trucker is $2, and the manufacturer is $7. Shockingly enough, that adds up to $10. What each participant cares about is his profits, not his revenues.

So, to stay focused on movies, Siwek takes an estimate of $6.1 billion in piracy losses to the U.S. movie industry, and through the magic of multipliers gets us to a more impressive sounding $20.5 billion. That original $6.1 billion figure, by the way, was produced by a study commissioned from LEK Consulting by the Motion Picture Association of America. Since even the GAO was unable to get at the underlying research or evaluate its methodology, it’s impossible to know how reliable that figure is, but given that MPAA has already had to admit significant errors in the numbers LEK generated, I’d take it with a grain of salt.

Believe it or not, though, it’s actually even worse than that. SOPA, recall, does not actually shut down foreign sites. It only requires (ineffective) blocking of foreign “rogue sites” for U.S. Internet users. It doesn’t do anything to prevent users in (say) China from downloading illicit content on a Chinese site. If we’re interested in the magnitude of the piracy harm that SOPA is aimed at addressing, then, the only relevant number is the loss attributable specifically to Internet piracy by U.S. users.

Again, we don’t have the full LEK study, but one of Siwek’s early papers does conveniently reproduce some of LEK’s PowerPoint slides, which attempt to break the data down a bit. Of the total $6.1 billion in annual losses LEK estimated to MPAA studios, the amount attributable to online piracy by users in the United States was $446 million—which, by coincidence, is roughly the amount grossed globally by Alvin and the Chipmunks: The Squeakquel.

So in a fantasy world where U.S. movie pirates don’t just circumvent blockage with a browser plugin, and SOPA actually stops all online movie piracy by American users, we get a $446 million economic benefit to the United States in the form of movie revenues, and presumably comparable benefits in music and software revenues? Well, no. Remember our old friend the Broken Window Fallacy. It’s true that some illicit U.S. downloads displace sales of legal products. But what happens to the money the pirates would have otherwise spent on those legal copies? They don’t eat it! As that same GAO report helpfully points out:

(1) in the case that the counterfeit good has similar quality to the original, consumers have extra disposable income from purchasing a less expensive good, and (2) the extra disposable income goes back to the U.S. economy, as consumers can spend it on other goods and services.

As one expert consulted by GAO put it, “effects of piracy within the United States are mainly redistributions within the economy for other purposes and that they should not be considered as a loss to the overall economy.” In many cases—I’ve seen research suggesting it’s about 80 percent for music—a U.S. consumer would not have otherwise purchased an illicitly downloaded song or movie if piracy were not an option. Here, the result is actually pure consumer surplus: The downloader enjoys the benefit, and the producer loses nothing. In the other 20 percent of cases, the result is a loss to the content industry, but not a let loss to the economy, since the money just ends up being spent elsewhere. If you’re concerned about the overall jobs picture, as opposed to the fortunes of a specific industry, there is no good reason to think eliminating piracy by U.S. users would yield any jobs on net, though it might help boost employment in copyright-intensive sectors. (Oh, and that business about 19 million jobs? Also bogus.)

Does that mean online piracy is harmless? Of course not. But the harm is a dynamic loss in allocative efficiency, which is much harder to quantify. That is, in the cases where a consumer would have been willing to buy an illicitly downloaded movie, album, or software program, we want the market to be accurately signalling demand for the products people value, rather than whatever less-valued use that money gets spent on instead. This is, in fact, very important! It’s a good reason to look for appropriately tailored ways to reduce piracy, so that the market devotes resources to production of new creativity and innovation valued by consumers, rather than to other, less efficient purposes. Indeed, it’s a good reason to look for ways of doing this that, unlike SOPA, might actually work.

It is not, however, a good reason to spend $47 million in taxpayer dollars—plus untold millions more in ISP compliance costs—turning the Justice Department into a pro bono litigation service for Hollywood in hopes of generating a jobs and a revenue bonanza for the U.S. economy. Any “research” suggesting we can expect that kind of result from Internet censorship is a fiction more fanciful than singing chipmunks.

How Copyright Industries Con Congress is a post from Cato @ Liberty - Cato Institute Blog

The Stop Online Piracy Act—a bill misleadingly named for its aspirations, not its probable effect—has provoked an outpouring of justified opposition, much of it centered on two primary concerns: The virtual certainty that it will result in the ancillary blocking of much legitimate free speech, and the damage it would do to the basic architecture of the open Internet. One point I haven’t seen pressed forcefully enough thus far, however, is that architectural and free speech concerns are not entirely independent. The practical effect of SOPA will be to create an architecture for censorship—both legal and technological—that will radically alter the costs of engaging in future censorship unrelated to piracy or counterfeiting.

SOPA is a 70 page statute establishing a detailed legal process by which the Justice Department can initiate blocking of supposed pirate domains by ISPs and search engines, and by which private parties can seek orders requiring payment processors and ad networks to sever ties. After flying largely below the radar of public attention for many months, we’re finally seeing sustained scrutiny and fierce debate over the bill. But the portion of the bill laying out the specific types of criminal conduct that trigger this Rube Goldberg censorship machine occupy just a couple of paragraphs. With the legal framework in place, expanding it to cover other conduct—obscenity, defamation, “unfair competition,” patent infringement, publication of classified information, advocacy in support of terror groups—would be a matter of adding a few words to those paragraphs. One sentence slipped in as a rider on some must-pass omnibus bill would do it: “Section 102(2)(B) is amended to add ‘or civil action under 17 USC §271′.”—voila, a nuclear weapon for patent trolls.

Then there’s the technological architecture. If SOPA passes, thousands of commercial ISPs, colleges, small businesses, nonprofits, and other entities that maintain domain servers are going to have to reconfigure their networks, potentially at substantial cost, in order to easily comply with the new law. There is an introductory clause in the latest version of the bill stipulating that no network operator will be required to implement a specific technology or redesign their networks in any particular manner in order to be considered in compliance. But let’s think realistically about what compliance will look like. Genuine “rogue sites” often operate via dozens of different domains, which means we’re apt to see regular updates to the government’s standing blacklist, potentially adding dozens or hundreds of domains in one go. Any sane network operator is just going to build a filter that reads off the current list of banned domains from a government feed and automatically stops resolving them. (This will, incidentally, be an enormously attractive attack surface for hackers: Spoof the SOPA feed—either at the source or to a particular provider—and you’ve got an instant bulk denial of service attack!)

Once the up-front costs of implementing that filter mechanism are paid, the marginal cost of additional censorship is effectively zero for the providers. It won’t much matter to the providers, at that point, whether the blacklist contains 10 domains or 10,000. The technology itself, needless to say, will be indifferent to the rationale for blacklisting. The filter will just automatically implement the list of domains it’s given; it won’t know or care whether they’re being blocked for hosting pirated movies, Hamas propaganda, or the Pentagon Papers.

These twin architectures will obliterate major institutional barriers to Internet censorship generally, not just censorship for antipiracy purposes.  Political actors—or special interest groups—who want to expand the scope of blocking will no longer have to justify putting in place a wholly new system of Internet blocking. Instead, the rhetorical question will become: Now that we’ve got this whole filter architecture in place for music and movie pirates, how can we possibly justify not using it for sites that host terrorist propaganda or classified documents, for sites that implement a patented business model without permission, for sites enabling speech some U.S. court has held libelous, and for whatever new moral panic is gracing the cover of Time in five years. Surely you’re not suggesting that illicit downloads of Norbit are a bigger problem than whatever outrage Joe Lieberman is fulminating against this week, are you?

Changing legal and technological architectures also changes the costs of future political decisions that make use of those architectures. Speech is more likely to stay free when censorship isn’t. The cheaper the muzzle, the dimmer the prospects for online expression.

SOPA: An Architecture for Censorship is a post from Cato @ Liberty - Cato Institute Blog

Proponents of the Stop Online Privacy Act (SOPA) and its Senate counterpart PROTECT-IP often affect incredulity that anyone would “defend piracy” by describing their valiant attempts to stamp out “rogue sites” as a threat to free speech or innovation. Recording Industry Association of America head Cary Sherman, for instance, recently insisted to The New York Times that the bills are “specifically designed to focus on the worst of the worst sites whose model is predicated on theft.” This would be more convincing if the content industries weren’t so clearly continuing their long, proud tradition of making aggressive and overbroad copyright claims that would impede speech and innovation.

In the 80s, Universal Studios famously sued Sony to block the sale of Betamax VCRs, which could be used to “facilitate” the infringement of copyrights in shows and movies aired on broadcast television. Blocking VCR sales, of course, might also have strengthened the market position of the DiscoVision laserdisc system being developed by MCA, Universal’s parent company. The Supreme Court eventually vindicated Sony, but Universal did manage to persuade one lower court to rule in their favor. If SOPA’s blocking provisions could be implemented in the physical world, every VCR (and maybe every Sony product) would have stopped working after that first favorable ruling, until Sony could meet the burden of proving its innocence in a U.S. court. Of course, under a rule like that, consumers might have been wary of buying a VCR in the first place.

And today? It’s the Universal Music Group heading to court, after using a dubious copyright claim to take down an embarrassing video in which pop stars sing the praises of the site Megaupload. Megaupload, you see, is a file locker site, and the recording industry has made it crystal clear that it’s at the top of the industry’s list of “rogue sites” that should be targeted under SOPA. Indeed, when the content industries talk about why SOPA is needed, they invariably cite file lockers generally as the very epitome of a “rogue site.” It is, therefore, a little awkward to have their own artists pointing out the obvious: File lockers can be used by pirates to share infringing files, but also host an enormous amount of perfectly legitimate content, uploaded by users who would be effectively silenced (and cut off from their own files) if the entire site were blocked. Similarly, the recording industry thinks copyright gives it the power to veto cloud-based music storage services, which serve as a kind of virtual hard drive from which users can remotely access and play their own legally purchased and uploaded music. It’s a great convenience for consumers—but the labels think they can use copyright to stop it unless they’re paid a cut.

We might also look to some of the seizures of U.S.-registered sites by Immigration and Customs Enforcement. The sports site Rojadirecta—registered in the U.S. but based in Spain—was seized on the theory that linking to infringing video of sporting events hosted elsewhere on the Internet is enough to trigger forfeiture, even though Spanish courts have repeatedly ruled that such conduct (however shady it might seem) is legal in Spain. As lawyers for the government argued, invoking the very same statute that would provide the basis for SOPA censorship:

“[A]ny property used … in any manner or part to commit or facilitate the commission of an offense [such as criminal copyright infringement]” is subject to forfeiture…. Moreover, it is “[i]rrelevant whether the property’s role in the crime is integral,essential or indispensable,”… and a single incident of facilitating criminal activity is sufficient to trigger forfeiture.

The government further notes that they’re not directly charging Rojadirecta with criminal infringement (nor indeed do they ever have to bring such charges), which means no need to meet that pesky “beyond reasonable doubt” standard—or even “probable cause”. All the government needs for forfeiture, they assert, is a “reasonable belief” that a domain is being used to “facilitate” criminal infringement. This despite the fact that, in the context of obscenity laws, the Supreme Court has held that “Mere probable cause to believe a violation has transpired is not adequate to remove books or film from circulation.” Now, Rojadirecta’s business model is certainly shady, and maybe they’re even guilty of criminal infringement. But are we really comfortable with an entire domain, including vibrant discussion forums that clearly enable protected, non-infringing speech, being blocked pursuant to a “reasonable belief” standard, forcing the company to hire U.S. lawyers and prove their innocence to win the right to speak to U.S. users?

Then there’s the case of Dajaz1.com, a hip hop blog seized for over a year by the government for hosting infringing music files. Except it turned out that those files had actually been provided by PR firms, working for the music labels, who hoped blogs like Dajaz1 would circulate them to create buzz for up-and-coming artists.  Oops!

As legal scholar Jason Mazzone has amply documented, the use of dubious copyright claims to chill legitimate speech is depressingly common. The voting machine manufacturer Diebold has tried to use copyright to shut down whistleblower sites that published internal e-mails highlighting security vulnerabilities in software that could determine the outcome of elections. The Church of Scientology has similarly invoked copyright to stifle criticism. In Russia, political opposition groups are routinely raided under the pretext of searching for copyrighted software. Research suggests that most copyright takedown claims to search engines like Google are issued by companies targeting their competitors, and that nearly a third of takedown notices under the Digital Millennium Copyright Act lack a clear basis.

I could easily fill a dozen long blog posts with examples, but let’s cut to the chase. Major movie studios and music labels draw a lot of water in D.C.: The fact that a bill as massively unpopular as SOPA is even being seriously considered, let alone likely to pass, is proof of that. They will effectively control which foreign domains the Justice Department chooses to block directly, and shop around for friendly judges amenable to rubber-stamping orders in civil litigation that require payment providers and ad networks to cut off disfavored sites.  The likely targets are their competitors, whether the copyright claims are valid or not. Sites like YouTube that provide entertaining user-generated videos are one less reason to pony up for the next lackluster Adam Sandler movie. Sites that give musicians a way to gain exposure to fans and market their albums without giving a cut to the increasingly redundant middleman threaten to make the labels  obsolete.  And if open platforms invariably end up hosting some infringing content uploaded by users? Well, that’s as good a pretext as any for shutting down the competition.

Why do critics of SOPA worry that the bill will threaten legitimate speech and innovation?  Because its supporters have spent three decades providing overwhelming justification for that fear at every opportunity.  If I may end by making a bit of “fair use” of the genius of former Smiths front-man Morrisey:

He was a sweet and tender hooligan, hooligan

He said that he’d never, never do it again

And of course he won’t, oh, not until the next time

Empowered with the ability to threaten blocking of entire domains, I’d rather not see what the copyright hooligans do “next time.”

How Would SOPA Be Used? is a post from Cato @ Liberty - Cato Institute Blog

Watching the House Judiciary Committee’s markup session on the latest version of the Stop Online Piracy Act, I’m struck by how the bill exemplifies what F.A. Hayek called the “Fatal Conceit” of government planners and regulators. As Rep. Jason Chaffetz noted with incredulity, a bill that would perform major surgery on the Internet is moving forward, at breakneck speed, without any doctors in the room. Legislators who think it’s cute to make jokes about how little they understand network technology are endorsing regulation of that technology, in statutory language has only just been introduced in its current form, without so much as a hearing from the actual engineers who are loudly warning of its grave defects. But the “fatal conceit” is inherent in the attempt to issue this kind of top-down mandate on the Internet, even with the best expert advice.

In many ways, the Internet is a perfect embodiment of Hayek’s concept of an evolved “spontaneous order.” Its enormous complexity is the product of relatively simple rules that allow individuals to deploy their local knowledge productively without having to understand the total system. Each layer in the “stack” of protocols in the Internet is independent, which means I can write a network application or generate content without having to understand the details of Internet addressing, packet routing, or how WiFI and Ethernet work: I just need to know how to pass application data to the next layer.

Moreover, the standards themselves are the product of gradual evolution, as engineers voluntarily adopt them following a long process of deliberation and consensus-building. Often, that makes the process necessarily quite slow. As former assistant DHS secretary and NSA general counsel Stewart Baker observes, the vital DNSSEC standard, designed to secure the Internet addressing system and guard against malicious hijacking of Internet traffic, has been in the works for 15 years. But SOPA would create massive regulatory uncertainty about the status of client software robustly implementing that standard. In short, argues Baker, “SOPA will kill DNSSEC,” to the detriment of global cybersecurity. Legislators seem to imagine that they can simply add language saying that their mandates aren’t meant to impair cybersecurity, as if uttering the magic words were enough to make it so. But you can’t just inject a top-down national mandate into a global evolutionary process and expect to achieve the effects the planners intend without disruptive consequences.

This isn’t just a narrow issue with one specific protocol, though. The general approach of SOPA is to attempt to solve a content problem—copyrighted material circulating illicitly—with a mandate targeting a completely different level of the Internet’s architecture, where domain names are translated into network addresses.That guarantees a poor fit between regulatory aims and outcomes, and enormously magnifies the likelihood of unpredictable and unintended consequences. That unpredictability is increased because—in what might otherwise seem like a wise example of regulatory flexibility—SOPA leaves it to providers to pick the best method of blocking forbidden sites, which means we’re likely to see different providers testing a variety of approaches. A dramatic example of how attempts to blocking can generate unexpected cascading failures was provided in 2008, when Pakistan ordered the blocking of YouTube—and inadvertently broke access for millions of users around the world.

Some legal scholars have suggested a “Layers Principle” to guide Internet policymaking. In brief, legislators and regulators should respect the independence of Internet layers by targeting solutions, as nearly as possible, at the layer where the problem exists. The Digital Millennium Copyright Act takes this sort of approach by providing a notice-and-takedown mechanism that targets specific cases of infringing content. SOPA, by contrast, violates this principle by seeking to solve a content problem by regulating the Internet’s addressing system. A Congress that displayed a modicum of humility about its ability to effectively redirect the operation of such a complex, organic, evolving system would accept that these blunt and broad interventions, however well-intentioned, are more likely to damage the system than achieve the intended result.

Why Hayek Would Hate SOPA is a post from Cato @ Liberty - Cato Institute Blog

On Thursday, the House Judiciary Committee is slated to take up the misleadingly named Stop Online Piracy Act, an Internet censorship bill that will do little to actually stop piracy. In response to an outpouring of opposition from cybersecurity professionals, First Amendment scholars, technology entrepreneurs, and ordinary Internet users, the bill’s sponsors have cooked up an amended version that trims or softens a few of the most egregious provisions of the original proposal, bringing it closer to its Senate counterpart, PROTECT-IP. But the fundamental problem with SOPA has never been these details; it’s the core idea. The core idea is still to create an Internet blacklist, which means everything I say in this video still holds true:

Let’s review the main changes. Three new clarifying clauses have been added up front: the first two make clear that SOPA is not meant to create an affirmative obligation for site owners to monitor user content (good!) or mandate the implementation of technologies as a condition of compliance with the law (also good!). But the underlying incentives created by the statute push strongly in that direction whether or not it’s a formal requirement: What else do we imagine sites threatened under this law because of user-uploaded content or links will do to escape liability? A third clause says the bill shouldn’t be construed in a way that would impair the security or integrity of the network—which is a bit like slapping a label on a cake stipulating that it shouldn’t be construed to make you fat. These are all nice sentiments, but they remind me of the old philosophers’ joke: “You’ve obviously misinterpreted my theory; I didn’t intend for it to have any counterexamples!”

The big changes in the section establishing court-ordered blocking of supposed “rogue” sites appear to be intended to respond to the objections of cybersecurity professionals and network engineers, who pointed out that requiring falsification of Domain Name System records to redirect users from banned domains would interfere with a major government-supported initiative to secure the Internet against such hijacking. The updated language explicitly disavows the idea of redirection, removes a hard five-day deadline for compliance, and (crucially) says that any DNS operator (like your ISP) has fully satisfied its obligations under the statute if it simply fails to respond to DNS queries for blacklisted sites.

This is bad for transparency, in both the engineering and democratic senses of that term, insofar as it makes a government block indistinguishable from a technical failure, but it does, in a sense, address the direct conflict with DNSSEC. But as network engineers point out, a well-designed application implementing DNSSEC isn’t just going to give up when it doesn’t get a valid, cryptographically signed reply: it’s going to try other DNS servers (including servers outside US jurisdiction) until it finds one that answers.

There are two possibilities here. The first is that application designers don’t design their software properly to implement DNSSEC for fear of liability under the statute’s anti-circumvention provisions, which would be a Very Bad Thing. The second is that they’re assured they won’t be held liable for good design, in which case this whole elaborate censorship process—which was never going to be particularly effective against people who actually want to find pirated content—becomes a truly farcical pantomime, in which nobody running reasonably up-to-date clients even notices the nominal “blocking,” beyond a few seconds delay in resolving the “blocked” site. Now, if we’ve got to have an Internet censorship law, a completely impotent one is surely the best kind, but it becomes a bit mysterious what the point of all this is, beyond providing civil libertarians with a chuckle at the vast amount of money Hollywood has wasted ramming this thing through.

The other big change is to the private right of action, which previously would have allowed any copyright holder to unilaterally compel payment processors and ad networks to cut off sites that it merely accuses of infringement, or enabling infringement, or (in a baffling specimen of tortured language) taking “deliberate actions to avoid confirming a high probability” that the site would be used for infringement. That last little hate crime against English is mercifully absent from the revised SOPA, and it makes clear that only foreign sites are covered, and a judge is now required to actually issue an order before intermediaries are obligated to sever ties.

Which ultimately goes to show that the original proposal was so profoundly wretched that you can improve it a great deal, and still have a very bad idea. This is still, as many legal scholars have correctly observed, censorship by slightly circuitous economic means. The involvement of a judge should (knock on wood) weed out the most obviously frivolous complaints, but it still makes it far too easy for U.S. corporations to effectively destroy foreign Internet sites based on a one-sided proceeding in U.S. courts.

These changes are somewhat heartening insofar as they evince some legislative interest in addressing the legitimate concerns that have been raised thus far. But the problem with SOPA and PROTECT-IP isn’t that they need to be tweaked in order to get the details of an Internet censorship system right. There is no “right” way to do Internet censorship, and the best version of a bad idea remains a bad idea.

The New SOPA: Now With Slightly Less Awfulness! is a post from Cato @ Liberty - Cato Institute Blog

I wrote on Monday that a cybersecurity bill overwhelmingly approved by the House Permanent Select Committee on Intelligence risks creating a significantly broader loophole in federal electronic surveillance law than its boosters expect or intend.  Creating both legal leeway and a trusted environment for limited information sharing about cybersecurity threats—such as the idenifying signatures of malware or automated attack patterns—is a good idea. Yet the wording of the proposed statute permits broad collection and disclosure of any information that would be relevant to protecting against “cyber threats,” broadly defined. For now, that mostly means monitoring the behavior of software; in the near future, it could as easily mean monitoring the behavior of people.

A recent—and somewhat sensationalistic—Fox News article rather breathlessly describes a newly-unveiled security system dubbed PRODIGAL, or Proactive Discovery of Insider Threats Using Graph Analysis and Learning, which “has been built to scan IMs, texts and emails . . . and can read approximately a quarter billion of them a day.” The article explains:

“Every time someone logs on or off, sends an email or text, touches a file or plugs in a USB key, these records are collected within the organization,” David Bader, a professor at the Georgia Tech School of Computational Science and Engineering and a principal investigator on the project, told FoxNews.com.

PRODIGAL scans those records for behavior — emails to unusual recipients, certain words cropping up, files transferred from unexpected servers — that changes over time as an employee “goes rogue.” The system was developed at Georgia Tech in conjunction with the Defense Advanced Research Projects Agency (DARPA), the Army’s secretive research arm that works on everything from flying cars to robotic exoskeletons.

Don’t panic just yet: This is strictly being deployed on the networks of government agencies and contractors that handle sensitive information—places where every employee is well aware that their use of the network is subject to close scrutiny, and with good reason.  There’s not really anything to say in principle against the use of such systems in this context, or for that matter on closed business networks where users are on clear notice that such monitoring occurs.

It would, by contrast, be a clear and quite outrageous invasion of privacy for such large-scale behavioral monitoring to be conducted on the residential or mobile broadband networks Americans rely on to provide their personal Internet connectivity—a fortiori if the goal is to share the results with the government without a court order.  As I read it, however, House Intel’s cybersecurity bill would at least arguably permit precisely that.

Under the current language, as long as an Internet provider had a credible good faith belief that it was collecting and sharing behavioral information for one of several broadly defined “cybersecurity purposes”—say, by creating behavioral profiles of potential hackers, disruptive cyberactivists, or “misappropriators” of intellectual property—they’d enjoy full civil and criminal immunity for such actions. That would make any contractual promises to abstain from such monitoring unenforceable—in the highly unlikely event that ordinary users were even able to determine reliably what sort of information was being shared. It would be, to put it as mildly as possible, extraordinarily poor civic hygiene to  enable the construction of this kind of quasi-public/quasi-private monitoring and profiling architecture.

This is not, I believe, the sort of thing the bill’s own architects aspire to bring about.  But the abstract language employed in pursuit of technological neutrality here avoids the risk of obsolescence only by sacrificing predictability.  Courts have recently begun signalling that they’re belatedly inclined to start insisting on full Fourth Amendment search warrants whenever government seeks digitally stored private contents, closing down statutory loopholes that sometimes gave investigators easier access. And now, just as one backdoor closes, a new backchannel granting access to otherwise private and protected material without any judicial process opens up? It does not take a cynic to predict that there will be a potent and persistent incentive to stretch any such channel as wide as the elastic bonds of the English language will permit.

The cleanest way to foreclose this is not to paste in a bunch of after-the-fact usage controls, minimization protocols, or special reports to Congress—though those aren’t bad ideas either. It’s to admit that Congress lacks psychic powers, which may entail that statutes regulating protean areas of technology  have to be (or ought to be) swapped for the newer model about as often as iPhones. The specific, narrow categories of sharing everyone thinks are important and unobjectionable from a privacy perspective can be specifically, narrowly authorized now. In a decade, when we’re beaming thoughts directly to each other via quantum-entangled biomechanical brain implants, we can decide what specific statutory language solves the novel security problems of that technology, in a manner consistent with the Fourth Amendment.

Big Brothers, PRODIGAL Sons, and Cybersecurity is a post from Cato @ Liberty - Cato Institute Blog

“What we obtain too cheap,” Thomas Paine famously wrote, “we esteem too lightly”—and it turns out that the converse holds true as well. It’s a well known and robustly confirmed finding of social psychology that people tend to ascribe greater value to things they had to pay a high cost to obtain. So, for instance, people who must endure some form of embarrassing or uncomfortable hazing process or initiation rite to join a group will report valuing their participation in that group much more highly than those admitted without any such requirement—which is one reason such rituals are all but ubiquitous in human societies as a way of creating commitment. Studies suggest that people are more likely to read automobile reviews after purchasing a new car than before—suggesting that people are sometimes less concerned with spending money in the most judicious fashion than with convincing themselves, after the fact, that they have done so. More morbidly, relatives of soldiers killed in action sometimes become much more fervent supporters of the war that cost them a loved one—because the thought that such a grave loss served no good purpose is too much to stomach.

I suspect that this phenomenon may help explain the dispiriting state of affairs described by an airline industry insider in an important Wired piece on airport security. The short version: we’ve spent some $56 billion on “enhancing” airport security over the past decade, with almost no actual security enhancement to show for it. We’re spending huge amounts of money and effort on burdensome passenger screening that doesn’t seem very effective, while neglecting other, far more vulnerable attack surfaces. It is, when you think about it, a somewhat strange priority given the abundance of highly vulnerable domestic targets. Reinforced cockpit doors and changed passenger behavior pretty much made a repeat of a 9/11-style suicide hijacking of a domestic flight infeasible—at negligible economic and privacy cost—long before we started installing Total Recall style naked-scanners, which makes explosives the real remaining risk. Yet the notable bombing attempts by passengers we’ve seen since 9/11 have (a) originated outside the United States, and (b) been foiled by alert passengers after the aspiring bomber slipped through the originating country’s formal screening process.

This shouldn’t be terribly surprising: when a terror group has already managed to get an operative into the United States, a domestic flight (that can’t be turned into a missile) would be one of the stupider, riskier targets to select, given the enormous array of much softer target options that would be available at that point, even assuming pre-9/11 airport security protocols. As far as I’m aware, the last time a passenger successfully detonated a bomb on a U.S. domestic flight was in 1962. This presents something of a puzzle: Why have we focused so disproportionately on this specific attack vector, at such disproportionate cost, when the terrorists themselves have not? Why haven’t we reallocated scarce resources to security measures (such as better screening of airline employees) that would provide greater security benefit at the margins? One possibility is that, having accustomed ourselves to submitting to the hassle and indignity of ever more aggressive passenger screening, we become more disposed to believe that these measures are necessary.

It’s become commonplace to refer to many aspects of airport screening—the removal of shoes, the transparent plastic baggies for your small allotment of shampoo—as “security theater.” Security guru Bruce Schneier coined the term to refer to security measures whose ritualistic purpose is to make passengers feel safer, even though they do almost nothing to actually increase safety. But on reflection, this seems wrong. It probably holds true in the immediate aftermath of a high-profile attack or disaster. Once the initial heightened fear subsides, however, these visible and elaborate security measures probably do more to increase our perception of risk than to assuage our fears. It is, after all, something of a cliche that hyperprotective parents tend to end up raising children who see the world as a more dangerous place. Overreacting to childhood illnesses is one reliable way of producing adult hypochondriacs down the road.

Security theater, then, isn’t only—or even primarily—about making us feel safer. It’s about making us feel we wouldn’t be safe without it. The more we submit to intrusive monitoring, the more convinced we become that the intrusions are an absolute necessity. To think otherwise is to face the demeaning possibility that we have been stripped, probed, and made to jump through hoops all this time for no good reason at all. The longer we pay the costs—in time, privacy, and dignity no less than tax dollars—the more convinced we become that we must be buying something worth the price. Hence, the Security Theater Cycle: the longer the ritual persists, the more normal it comes to seem, the more it serves as psychological proof of its own necessity.

The Security Theater Cycle is a post from Cato @ Liberty - Cato Institute Blog

It’s gotten surprisingly little media attention thus far, but late last week the House Permanent Select Committee on Intelligence approved a bill to facilitate sharing and pooling of “cyber threat information” between private companies and government intelligence agencies—in particular, the übergeeks at the National Security Agency. It’s actually not a bad idea in principle. But the original draft was so broad that that the White House felt compelled to express concerns about the lack of privacy safeguards—which should give you pause, considering how seamlessly President Obama has shifted from thundering against the Patriot Act to quietly embracing the ongoing kudzu growth of our surveillance state.  A few encouraging tweaks were hastily added before the committee approved it, but the bill’s current incarnation still punches an enormous hole in the wiretapping laws that have, for decades, been a primary guarantor of our electronic privacy.

First, a bit of context. Whenever you send an e-mail, start an IM chat, place a VoIP call, visit a web page, or download a file, your traffic passes through many intermediary networks, starting with your own broadband or wireless provider.  While savvy users will protect their sensitive communications with encryption, our expectation of privacy when we use the Internet is also safeguarded by federal law, which generally prohibits network owners providing transit services to the general public from intercepting, using, or disclosing the contents of other people’s communications in any way beyond what’s needed to get the traffic from sender to recipient in the ordinary course of business. There are exceptions, of course: for law enforcement monitoring subject to a warrant, for emergencies, for consensual interceptions, and for monitoring that’s necessary to the protection of a provider’s own network. But the presumption against interception is strong and typically hard to overcome. (Non-public networks, like a corporation’s private intranet, are another story, of course.)  Communications metadata—the information about who is talking to whom, and by what route—is less stringently regulated, but carriers are still barred from sharing that information with the government absent some form of legal process. The motivation for all of this is the understanding that heavily regulated carriers, which also often compete for lucrative government contracts, would be subject to government pressure to “voluntarily” share their customers’ data (especially if the sharing could be done secretly).  Thus, the law ensures that the government will have to observe the niceties of judicial process before digging through citizens’ private communications, rather than relying on the “informal cooperation” of intermediaries.

This generally salutary arrangement does, however, create some difficulties in the cybersecurity context. Carriers and cybersecurity providers who have visibility on multiple private networks will often be in an optimal position to detect a wide array of attack patterns, involving both metadata (where are apparent attacks coming from? what timing patterns do they exhibit) and contents (what characteristic “signatures” indicate the presence of viruses, malware, or mass phishing emails).  This is information it’s highly valuable to have shared among providers—and, yes, the government too—and which generally doesn’t implicate the kinds of privacy interests wiretap law is supposed to protect. But legislators (or rather, the staffers who actually draft these bills) are generally keen to craft “tech neutral” laws that aren’t bound too tightly to current technologies and vulnerabilities, and therefore won’t be obsolete in the face of new tech or new threats. Unfortunately, this often entails erring on the side of breadth, which in this case means creating a massive loophole to remove a minor obstruction—the legislative equivalent of blowing your nose with C-4.

The bill provides that, “notwithstanding any other provision of law,” a company that provides cybersecurity services for its own networks or others may use “cybersecurity systems” to acquire “cyber threat information,” and share such information with any other entity, including the government. (One of the amendments introduced last week stipulates that the government may use and share that information only when one “significant purpose” of such use is the protection of national security or cybersecurity.)  The crucial question, of course, is what counts as “cyber threat information.” That term is defined to encompass:

information directly pertaining to a vulnerability of, or threat to a system or network of a government or private entity, including information pertaining to the protection of a system or network from—

(A) efforts to degrade, disrupt, or destroy such system or network; or

(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

The intention here is to cover the sort of information I talked about earlier—intrusion patterns and malware fingerprints.  On a literal reading, though, it might also include Julian Assange’s personal IM conversations (assuming he ever had an unencrypted one), or e-mails between security researchers.  Moreover, one important purpose of this information sharing is to be able to distinguish malicious from benign traffic—which may mean combing through a big chunk of traffic logs surrounding a suspected or confirmed penetration attempt (and comparing those logs to others) in order to extract the hostile “signal” from the background noise. That makes it extremely likely that a substantial amount of wholly innocent, and potentially sensitive, information about ordinary Americans’ Internet activities will end up in the sharing pool. Many attacks will appear to originate from computers conscripted into malicious botnets by malware, unbeknownst to owners whose legitimate personal traffic could easily be swept in and shared as “cyber threat information” as well. The current proposal doesn’t require minimization or anonymization of personal information unless the companies sharing the information impose such conditions themselves. Finally, “cybersecurity systems” is sufficiently vaguely defined that one could even imagine a sysadmin with a vigilante streak reading it to include aggressive countermeasures, like spyware targeting suspected attackers. After all, “notwithstanding any other provision of law” includes provisions of (say) the Computer Fraud and Abuse Act that would place such tactics out of bounds.

Intelligence agencies are also  empowered to share classified cyberintelligence with designated companies—and heaven help the firm that’s starved of that security information while their competitors have access to it. Another of the amendments added last week expressly bars conditioning such intelligence sharing on any particular company’s level of “voluntary” cooperation, and clarifies that the intelligence companies may not “task” private companies with obtaining specific types of information for them. Which is nice, but seems awfully hard to enforce in practice.  What we’ve already seen, unfortunately, is that cozy long term collaborative relationships between carriers and intelligence agencies are breeding grounds for abuse, even when the law actually does prohibit the carriers from sharing information without legal process. It’s desirable to create legal space for limited cyberthreat information sharing—but it has to be done without creating a large and tempting backdoor through which government might seek to use “voluntary information sharing” as a way to avoid getting a warrant or court order.

A Cybersecurity Exception to Wiretap Laws? is a post from Cato @ Liberty - Cato Institute Blog

I’m seeing a lot of technology news sites reporting,  in tones of shock and horror, on a recent court ruling holding that people generally waive their Fourth Amendment “expectation of privacy” in data collected on them by Internet sites, at least when the sites give some kind of notice (however buried in legalese) that they do collect that data.  That means, in this instance, that the government can obtain detailed connection records from Twitter about users associated with Wikileaks without a full-blown Fourth Amendment warrant based on probable cause: A subpoena or a court order based on a far weaker claim of “relevance” to an investigation will suffice.

But this isn’t some shocking new precedent. It’s been the status quo since 1986, when our increasingly outdated electronic privacy laws were written, and arguably for longer than that.

There are plenty of problems with this most recent decision, to be sure. For one, as security researcher Chris Soghoian notes, the court based its opinion on the current Twitter privacy policy, even though the policy in effect at the time the targets of the investigation signed up for the site was significantly more protective. In a way, though, this seems unnecessary: Under the misguided Supreme Court decisions that established our modern “third party doctrine,” contractual promises of privacy don’t matter.

In other words, users are held to “assume the risk” that any third party might turn their information over to the government, effectively waiving their Fourth Amendment rights over that data, even if the third party explicitly promises not to do this. The one reason the privacy policy might be relevant here is that the “third party doctrine” covers information knowingly conveyed to third parties, and while it’s obvious that you “convey” a dialed phone number to the phone company when you make a call (for instance), it might not be as obvious that Web sites you visit are logging your Internet Protocol address.

Still, there’s nothing fundamentally new here: The government routinely obtains “transactional” information or “metadata” (as opposed to the contents of communication) without bothering with a search warrant. Google received nearly 6,000 government requests for user data in January–June of this year (not counting national security requests, which the company is gagged from reporting), and most experts believe the volume of requests to Internet Service Providers like Comcast or Verizon is vastly higher.

But unlike wiretaps—which totaled just over 3,000 for all criminal investigations in 2010—there’s no requirement that courts track and report aggregate numbers for such requests. That means a hugely more common form of government monitoring is effectively invisible. The only unusual thing about the demand for information from Twitter in the Wikileaks investigation is that the public has become aware of it.

A good first step toward a more sane policy—one that ought to be a no-brainer whatever one’s position on the desirable level of online privacy—would be to require statistics on these user data requests to be compiled, just as they already are for wiretaps. Perhaps Americans will be comfortable with the current levels of government spying on Internet activities, and perhaps they’ll demand change. Either way, though, citizens in a democracy surely have a right to be informed about the scope and scale of government spying on their digital activities—and the reactions to this court ruling make it obvious they aren’t.

Internet Belatedly Notices How Much Spying Government Can Do Without a Warrant is a post from Cato @ Liberty - Cato Institute Blog

As Jim Harper noted yesterday, the questioning during yesterday’s oral arguments in United States v. Antoine Jones suggested to most observers that the Supreme Court is acutely concerned about the dangers of leaving police use of location tracking technology completely unregulated by the Fourth Amendment. “If you win this case,”  Justice Stephen Breyer told the government’s lawyer, “then there is nothing to prevent the police or government from monitoring, 24 hours a day, the public movement of every citizen of the United States…. You produce what sounds like Nineteen Eighty-Four.” Yet, as I observed in a previous post, the Court has a wide array of rationales to choose from if it decides to rule in favor of Antoine Jones, and each has different implications for the larger question of how the Constitution will limit a whole array of location tracking technologies.

The simplest and narrowest ruling against the government here — one that seemed to appeal to Justice Scalia — would focus not on the monitoring, but only on the physical intrusion on property involved in the installation of the tracking device.  That is, I think, absolutely right as far as it goes, but would only prolong the deeper questions, since there are many high-tech ways to track someone without physically attaching anything to their property, from the cell-phone tracking already in widespread use, to robotic surveillance insects in the foreseeable future. Many on the Court would seemingly prefer to avoid a game of technological whack-a-mole, and find a principle to regulate location monitoring itself. The appeals court in this case relied on what’s come to be called the Mosaic Theory, which holds that  prolonged monitoring may invade privacy, even if all the specific journeys — all the tiles in the “mosaic” — are public when considered in isolation.

The virtue of the Mosaic Theory is that it captures a deep underlying truth about our complex, socially embedded “reasonable expectations of privacy.” The defect is that courts and police need clear rules: Any principle that requires ad hoc assessment of complex and contextual social facts is a nonstarter. That’s why, after roasting the government’s attorney, the Court tried to force Jones’ lawyer to articulate some kind of bright line test that would distinguish permissible from impermissible monitoring. If tracking someone 24/7 for a month violates people’s expectation of privacy, but following them on a single trip doesn’t, how do you draw the line? Really, this is just a special case of the notoriously difficult “Sorites Problem” in philosophy: Sometimes you confront a gradient or continuum where things on one end obviously do have some property (like “being a privacy violation”), things on the other end don’t, but you can move in arbitrarily tiny steps from one end to the other, and it seems absurd to pick any particular point as a binary boundary.

But this doesn’t seem like it ought to be a problem if we’re thinking clearly — and the Court has already found a perfectly satisfactory way of dealing with it in another famous case: Kyllo v. United States. In ruling that the use of thermal imaging scanners to detect marijuana-growing lamps in a home violated the Fourth Amendment, Justice Scalia considered the objection that (much like GPS trackers), the scanners would often reveal only information that could have been obtained by ordinary observation from a public space:

The fact that equivalent information could sometimes be obtained by other means does not make lawful the use of means that violate the Fourth Amendment. The police might, for example, learn how many people are in a particular house by setting up year-round surveillance; but that does not make breaking and entering to find out the same information lawful.

The key point here is that there’s a difference between the information exposed by an investigative method, and the investigative method itself. The Court in Kyllo did not say that police may use thermal imaging scanners just to the extent that they reveal information about the home that could also, in principle, be obtained by some other legitimate method (though perhaps with greater difficulty or expense); they opted to regulate the technology categorically.  It may be that people knowingly expose their movements to the public, but that’s not what’s initially being monitored here. What police who use GPS tracking are monitoring is signals emitted by a surreptitiously installed tracking device. And that information was certainly not knowingly exposed to the public by Antoine Jones, or most drivers.

It’s an interesting question whether even ordinary visual surveillance in public — whether by a “tail” or by technologies in general public use, like video cameras — could become so prolonged and invasive as to trigger Fourth Amendment protection, but this isn’t ordinary visual surveillance, which relieves the Court of the need to answer that question here. They can regulate the technological method categorically, even if we can envision uses that would be practically equivalent to other, permissible methods in terms of the type and quantity of information obtained.  In those cases, of course, police are welcome to simply use those other methods.  The main appeal of GPS tracking, of course, is that it provides far more information than is feasible for most police departments to obtain by visual observation — and in those cases, a magistrate judge can make the specific decision about a “reasonable” duration of surveillance. Since the officers in this case actually did get a judicial warrant before installing their tracker — they just failed to install it before the warrant expired—there’s no reason to think that this constitutes some unreasonable burden.

The apparent problem with this approach is that the Court’s opinion in Knotts seems to have rejected such categorical regulation. But, as no less an authority than the inventor of GPS himself stressed in an amicus brief filed by the Center for Democracy and Technology, the tracking “beepers” at issue in Knotts are a fundamentally different technology from GPS trackers. Though they actually monitor radio signals rather than visual impressions — just as GPS does — they are best thought of as augmenting ordinary visual observation by officers who are physically present in a nearby car or aircraft. It might be true in a particular case that police could not effectively tail a suspect without risking detection but for the beeper, because they’d have to follow too closely, but the central method of surveillance here is still ordinary visual observation. The beeper, in this case, is more like a flashlight than a thermal imager. GPS does not augment visual observation; it replaces visual observation. That, I think, means that there’s just no need to puzzle over the permissible quantity of information that can be obtained as though we were still talking about a physical tail with a little technological boost.  We’re not. It’s an utterly different method that can be regulated categorically, and without regard to whether some different and unregulated method might yield some of the same information. It’s true that the reason you want to regulate this method is that it has the capability to gather more information, more easily and cheaply, in a way that exceeds people’s reasonable expectations.  But that doesn’t mean you have to solve the Sorites Problem and pick some particular marginal quantum of information as the boundary, where monitoring below that level is consistent with social expectations of privacy, and monitoring above that level is not. Rather, you can say that because of its capacity for such intrusive monitoring, people reasonably expect not to be subject to that method at all. The Fourth Amendment, recall, does not just protect against unreasonable searches, but the right to be “secure” against unreasonable searches—and that security would hardly be protected if a method intrinsically capable of “unreasonable” intrusiveness were permitted without a warrant, and all of us had to trust police to determine the point at which its application in each particular case crossed into “unreasonableness.”

The fuzziness of the boundary here, in other words, is no argument at all for deference. It’s an argument for imposing a categorical warrant requirement on a class of technologies and letting the issuing magistrate evaluate the bounds of reasonableness in the instance.  As in Kyllo, you draw the bright constitutional line by looking at the capabilities of a technological type, not by trying to craft an impossible rule that permits specific uses of the type that are informationally equivalent to other, permissible methods. It is the capability of the technology to reveal an intrusive “mosaic” that justifies its categorical treatment as a search, and as long as it’s clear that many typical uses of that technology would fall on the wrong side of “reasonable,” the tough question of “exactly how many tiles does it take?” is one the Court can happily decline to answer.

High Tech Surveillance: Where to Draw the Line? is a post from Cato @ Liberty - Cato Institute Blog

One would like to say: whatever is going to seem right to me is right. And that only means that here we can’t talk about ‘right.’ — Ludwig Wittgenstein, Philosophical Investigations §258

Among the arguments for which the great 20th century philosopher Ludwig Wittgenstein is famous, perhaps the best known—and most controversial—is his argument for the impossibility of a truly “private language.” Since Wittgenstein’s own language was, if not quite “private,” notoriously opaque, it’s a matter of some controversy exactly what the argument is, but here’s a very crude summary of one common interpretation:

Language is, by it’s nature, a rule-governed enterprise. Under normal circumstances, for instance, I use words correctly when I say “there’s a yellow school bus outside,” just in case there is a yellow school bus outside. If, instead, there’s a blue Prius, then I may be lying, or trying to make some sort of signally unfunny joke, or confused about either the facts or about what words mean—but I am, one way or another, using the words “incorrectly.” And indeed, the only way words like “yellow” and “school bus” can have any specific meaning is if they’re correctly applied to some things, but not to others.

Now suppose I decide to invent my own private language, meant to describe my own internal sensations and mental states, maybe for the purpose of recording them in a personal diary. On the first day, I experience a particular sensation I decide to call “S,” and record in my diary: “Today I felt S.” As time passes, on some days I write S to describe my private sensations, and on other days maybe I come up with different labels—maybe T, U, and V. This certainly looks like a private language, but there’s a problem: each time I write down “S,” the idea is suppose to be that I’m recording that I had the same sensation I had the first day—S—and not T, U, or V. But what’s the criteria for “the same”? What makes it true that my sensation on day 27 really is “more like” the sensation S that I had on day 1, and not V, which I first had on day 16? How do I know that this new sensation is really an S and not a V? (Say S was an itch in my hand; will I be correct to use S to refer to an itch in my shoulder? Or a pain in my hand? Or for that matter a pain in my shoulder?) The only criterion is that it seems or feels that way to me. But in that case, I’m not really engaged in a rule-governed language system at all, because in effect S applies to whatever I decide it does. Since I can never really be wrong, it doesn’t really make sense to say I’m ever right in my use either. Since the terms are truly private, there’s no difference between “correctly applying S” and “specifying in greater detail what S means.” What looked like a “private language” was actually just a kind of pantomime of a true, rule-governed language.

I found myself thinking of Wittgenstein and his private language argument, oddly enough, when thinking about the various forms of “secret law” and “secret legal interpretations” that increasingly govern our endless War on Terror. Consider, for instance, the secret legal memorandum justifying the assassination of Anwar al-Awlaki, discussed in an October 8 New York Times piece:

The legal analysis, in essence, concluded that Mr. Awlaki could be legally killed, if it was not feasible to capture him, because intelligence agencies said he was taking part in the war between the United States and Al Qaeda and posed a significant threat to Americans, as well as because Yemeni authorities were unable or unwilling to stop him.

Whether or not one agrees with the substantive principle articulated here, this at least sounds like a real rule limiting the discretion of the executive. Except…who decides when a capture is “not feasible” (as opposed to merely risky, costly, or inconvenient)? The same executive who is meant to apply and be bound by the rule. Who determines when the threat posed by a citizen is “significant” enough to permit targeting? Again, the executive.

This is not, one might object, a wholly “private” interpretive problem, because the Office of Legal Counsel provides some kind of quasi-independent check: it will occasionally tell even a president that what he wants to do isn’t legal. But in that case, the president can simply do what Barack Obama did in the case of his intervention in Libya: keep asking different legal advisers until one of them gives you the answer you want, then decide that the more favorable opinion overrides whatever OLC had concluded.

Similar considerations apply to the “secret law” of surveillance. The FBI may issue National Security Letters for certain specific types of records—including “toll billing records”—without judicial approval, but these secret demands must at least be “relevant to an authorized investigation.” A weak limit, we might think, but at least a limit. Yet, again, the apparent limitation is illusory: it is the Justice Department itself that determines what may count as an “authorized investigation.” When Congress initially passed the Patriot Act a decade ago, an “authorized investigation” meant a “full investigation” predicated on some kind of real evidence of wrongdoing. Just a few years later, though, the attorney general’s guidelines were changed to permit their use in much more speculative “preliminary investigations,” and soon enough, the majority of NSLs were being used in such preliminary investigations. Needless to say, “relevance” too is very much in the eye of the beholder.

In most of these cases, the prospects for external limitation are slim. First, of course, anyone who disagreed with the executive’s secret interpretation would have to find out about it—which may happen only years after the fact in whatever unknowable percentage of cases it ever happens at all. Then they’d have to overcome the extraordinary deference of our court system to assertions of the State Secrets Privilege just to be able to have a court consider whether the government had acted illegally. In practice, then, the executive is defining the terms of, and interpreting, the same rules that supposedly bind it.

The usual thing to say about this scenario is that it shows the importance of checks and balances in preventing the law from being perverted or abused. If we think there is at least a rough analogy between these cases and Wittgenstein’s diarist writing in a “private language,” though, we’ll see that this doesn’t go quite far enough. What we should say, rather, is that these are cases where “secret law,” like “private language” is not merely practically dangerous but conceptually incoherent. They are not genuine cases of “legal interpretation” at all, but only a kind of pantomime. Perhaps what we should say in these cases is not that the president or the executive branch may have violated the law—as though there were still, in general, some background binding principles—but that in these institutional contexts one simply cannot speak of actions as “in accordance with” or “contrary to” the law at all.  Where the possibility of external correction is foreclosed, the objectionable and unobjectionable decisions alike are, inherently, lawless.

Wittgenstein, Private Language, and Secret Law is a post from Cato @ Liberty - Cato Institute Blog

Orin Kerr—easily one of our most lucid thinkers when it comes to applying the Fourth Amendment to new technologies—argues at Volokh Conspiracy that, while it’s a hard call whether the installation of a GPS tracking device to a vehicle counts as a Fourth Amendment “search” or “seizure,” the Supreme Court should not treat the use of such devices as a search when it decides United States v. Antoine Jones later this term. Rather, he argues, the Court should hew to a bright line test that makes monitoring “inside” protected spaces a “search” requiring a warrant, while “outside” monitoring—as, for example, of a car traveling on public roads—is always permitted, regardless of the technological means by which that monitoring is carried out, or how extensive that monitoring is in scope or duration.  This is in line with Kerr’s reasoning in a thoughtful and important article about the application of the Fourth Amendment to the Internet, which I’ve already written about in this space.

First, it’s worth noting that Kerr’s core assertion—that the inside/outside distinction is already the one consistently applied by the Court—is at odds with some fairly unambiguous assertions in the very opinions he cites.  Kerr argues:

You get the same results whether you get these results under the “protected areas” test that preceded the 1967 Katz case, or the Katz “reasonable expectation of privacy” test that the Court has adopted since then. The results are the same: A search occurs when the government intrudes upon a private person, house, paper, or effect, but does not occur when the government merely observes something in a public space or in a space where the government is otherwise entitled to be.

But the majority in Katz goes out of its way to deny this:

[T]he Fourth Amendment protects people, not places. What a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection…. But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected. [emphasis added]

It is true, of course, that in general  our reasonable expectations of privacy will track the line between public (outside) and private (inside) spaces. But this is, crucially, a defeasible presumption, as Kerr plainly concedes when he notes that a search does not occur “when the government merely observes something in a public space or in a space where the government is otherwise entitled to be.” If you have freely invited a police officer or informant into your home, where they smell marijuana, you cannot claim that any reasonable expectation of privacy has been violated, even though the odor may only be detectable from “inside” this private space. But then, as the majority in Katz suggests, the presumption should be equally defeasible on the other side: There may be cases where what can be observed in public is nevertheless reasonably expected to be private.

Indeed, Katz itself may be just such a case: It involved a bug placed on the outside of a phone booth, picking up only the faint vibrations from the conversation inside that reached the outside of the booth (though, of course, they would not have been audible to an unaided human ear that was not rather conspicuously pressed up against the glass).  We might imagine, instead, that the surveillance had been of the sort shown in the opening scene of Francis Ford Coppola’s masterpiece The Conversation, where a series of high-powered boom microphones and sophisticated audio filtering technology are used to capture a whispered exchange between a couple who are walking through a noisy plaza—and constantly checking to ensure that nobody is near enough to overhear. The majority supports its reasoning with the observation that Katz had stepped into a phone booth and “closed the door,” but nothing about the logic of Katz depends centrally on the bugged conversation occurring “inside” that closed booth. There’s no reason to think the decision would or should have been different if it had involved a scenario like Coppola’s, or a cell phone call placed from a desolate beach.

Kerr does consider some situations where monitoring from a public vantage point has been regarded as a search. On Kerr’s reading of the ruling in Kyllo, the use of a thermal imaging scanner to observe a house from outside, on a public street was nevertheless a search of the inside of the home. Similarly, the protection afforded to the “curtilage” of the home involves, in effect, expanding the penumbra of protection around the home so that some property literally “outside” is nevertheless “treated” as being “inside.”  At this point, it seems to me, the “inside/outside” distinction ceases to be a useful guiding principle and is exposed as a mere tautology.   If some kinds of monitoring are “treated as inside surveillance” even though, literally speaking, they involve only the “outside” of a protected space, “inside” has just become a term of art meaning “protected.”

This is even more obvious when we turn to monitoring of Internet surveillance, where Kerr  hopes the “inside/outside” distinction may be usefully employed. Because while one may speak (for instance) of e-mail header information or metadata as “outside,” by analogy with a mailed envelope, by contrast with the “inside” message contents, this is pure metaphor.  In a literal sense, they’re all just bits. Moreover, Internet communications operate on the Open Systems Interconnection model, which divides each Internet packet not into “inside” and “outside,” but rather seven nested layers. Kerr allows that it is sometimes a “tricky call” where the line between inside and outside surveillance falls. But as thinking about Internet communications should make clear, this is a misleading description. There is no “fact” about the inside/outside boundary for the Court to discover as it contemplates Internet surveillance, no independent dividing line that the Court might use to determine which aspects of the communication deserve protection. Rather, the decision about how the physical metaphor ought to apply to a digital communication just is the decision about what should be protected. In considering which parts of the bitstream are “like” the envelope exterior, and which are “like” the letter within—or for that matter, considering whether the right metaphor is a sealed letter or a postcard—the Court would have to appeal to other considerations.

Let’s return to the GPS tracking case, applying some of the reasoning from a decision that might seem to support Kerr’s “inside/outside” distinction: California v. Ciraolo. Here, the Court held that aerial observation by police of a marijuana garden in the curtilage of the home was not a Fourth Amendment search. Yet their argument for this doesn’t turn on a simple inside/outside binary.  Rather, the Court noted:

The observations … in this case took place within public navigable airspace … in a physically nonintrusive manner; from this point, they were able to observe plants readily discernible to the naked eye as marijuana …. Any member of the public flying in this airspace who glanced down could have seen everything that these officers observed….. In an age where private and commercial flight in the public airways is routine, it is unreasonable for respondent to expect that his marijuana plants were constitutionally protected from being observed with the naked eye from an altitude of 1,000 feet.

In this case, monitoring of the curtilage is clearly treated as “outside” surveillance given the method employed—a method that, crucially, is “routine” for members of the public who are not police officers. As the Court makes clear in a footnote, such aerial surveillance might become intrusive enough to qualify as a search if it involved “technology which discloses to the senses those intimate associations, objects or activities otherwise imperceptible to police or fellow citizens.”

Let me posit that almost all of us normally expect privacy for communications and activities that, though they occur in a public space, would be “imperceptible… to fellow citizens” whose senses were not augmented by sophisticated technology, and we routinely rely on that expectation in practice. If I am at a crowded party and wish to pull a friend aside for a private chat, I may seek out an empty room and close the door behind us… but I may equally reasonably step outside, like the couple in The Conversation, to talk in hushed tones in the deserted driveway.  And my expectation that this conversation is private may be reasonable even if, of course, someone could overhear us by approaching close enough to pick up our whispers with an unaided ear—at which point we would stop discussing private matters. Indeed, for people of severely limited economic means—people who may lack regular access to “inside” spaces other than thin-walled tenement apartments or even crowded homeless shelters—the de facto “privacy” of isolation in nominally “public” spaces may be the only sort realistically available.

Parallel reasoning applies if we consider movements rather than conversations. A person driving down a public street is subject to observation—but many contextual features determine whether they reasonably expect such observation in a specific case.  Someone who undertakes a long journey along a desolate highway at night will, normally, reasonably believe that they are not being followed or observed if they don’t see headlights trailing them.  Two people who rendezvous at a cabin deep in the woods, arriving separately, will not be less shocked that their liaison is being monitored because the dirt road to their meeting point is “public.”

A simple, binary “inside/outside” bright line rule for deciding how the Fourth Amendment applies to high-tech surveillance is appealing because of its seeming clarity and straightforwardness. But clarity is not a virtue if it is achieved at the price of the underlying interests the Fourth Amendment protects. After all, “no warrants are ever required” would be the clearest, simplest rule of all.

A Response to Orin Kerr on GPS Tracking is a post from Cato @ Liberty - Cato Institute Blog

In November, an important case before the Supreme Court—United States v. Antoine Jones—will take up the question of whether the warrantless GPS tracking of an automobile violates the Fourth Amendment’s prohibition on unreasonable searches and seizures. (Our colleague Jim Harper has penned an excellent amicus brief arguing that it does.) This comes as the press have focused increasingly on the legally controversial practice of using cell phones and other location-aware mobile devices to track suspects. Perhaps unsurprisingly, both the press and many civil liberties advocates are linking these issues together. But it’s important to recognize that they’re actually distinct in many ways: What implications this ruling has for location tracking of phones will depend crucially on why they decide the way they do, because of the differences in the technologies involved. So I want to consider several possible outcomes in the Jones case, and what implications they would have for the broader question of location tracking under the Fourth Amendment.

Just to review the facts: This case involved a drug trafficking suspect on whose car the police surreptitiously installed a GPS tracking device, which they proceeded to monitor for nearly a month, giving them a map of the car’s movements 24 hours a day during the period. Police had sought a court order authorizing the installation, but they installed it outside the jurisdiction covered by the order, and after the order had already expired. Two cases from the early 80s involving more primitive tracking technology—Knotts and Karo—suggest that the constitutional line is at the boundary between public spaces: Tracking a person or their property into a private location, such as a residence, is a Fourth Amendment “search” requiring a warrant, but monitoring limited to the public movements of (say) a vehicle is not, because we have no “reasonable expectation of privacy” in activities that we “knowingly expose” to the general public. (As an intuitive test of this reasoning, ask yourself if, upon finding a GPS tracker that had been affixed to your private car weeks or months ago, you would really react in the same way as if you’d been told another driver had observed some particular commute.)

Still, there are important differences between the tracking technology in use when those cases were decided and modern GPS tracking devices, and still further differences between those and the various forms of cell phone location tracking. As an amicus brief authored by technology experts stresses, the “beepers” used in Knotts were rather like short-range geiger counters: They were a supplement to ordinary visual surveillance by police, who still had to follow along, observe where the suspects went, and record their observations. The beepers just ensured that the suspect would not lose the “tail.” In practice, the extent of such monitoring would have to be pretty similar to what any person could normally achieve by unassisted observation—limited in scope, duration, and (crucially) the number of people who could simultaneously be monitored. Tracking via GPS is potentially far more sweeping.

Cell phone tracking, however, has the capacity to be still more invasive. Because people typically carry their phones on their person—and not just when driving in public—it provides a far more detailed picture of a person’s activities, and when the location method used is precise enough, poses a greater risk of crossing the boundary between monitoring in public and private spaces. And while GPS tracking makes feasible the simultaneous tracking of many more people than could be physically tailed, there are still practical limits. Because nothing needs to be “installed” for cell surveillance, in principle it could be used to track entire populations—and indeed, it’s at least possible that tracking on this scale is already happening. When police use so-called “stingray” or “triggerfish” technology to track a phone, it is otherwise akin to the use of a GPS tracking device, in that these technologies are deployed by police to directly track a suspect, except that instead of planting a device that emits radio signals, they intercept the signals already being emitted by the suspect’s own phone.

When, instead, tracking is done with the assistance of a telecom, there is a further difference: Police are accessing information that has already been obtained (and, often, would already be retained by) a third-party corporation for the non-governmental purpose of providing cell service. This form of monitoring also opens the door to retroactive tracing. Government documents released recently under a Freedom of Information Act request reveal that some telecoms now routinely keep years worth of customer location records—though it is unclear whether this includes data from multiple towers (allowing tracking with GPS-level precision) and whether these records are continuous, or only cover location at the time a phone is being used to make a call. With these differences in mind, let’s consider different ways the court might rule in Jones, and what it might mean for cellular tracking.

The worst outcome for privacy advocates in this particular case, of course, would be for the Court to simply conclude that GPS trackers are fundamentally no different from the beepers in Knotts: There is no Fourth Amendment privacy interest in location data pertaining to public movements, regardless of how precise, comprehensive, or infeasible to obtain by conventional visual surveillance, and regardless of the technological means by which the information is gathered (assuming it does not involve some other illegal act, such as trespass). This would weigh heavily against finding a Fourth Amendment obstacle to most cell phone tracking that relied on information from a single cell tower, though as computer scientist Matt Blaze explained to Congress last year, even location to the nearest tower is becoming increasingly precise as telecoms deploy “microcells” to cope with ever heavier wireless data traffic. It would not necessarily preclude Fourth Amendment regulation of cell tracking that used triangulated cell tower data, or the handset’s native GPS technology, given the vastly greater risk that such tracking would “follow” suspects into private spaces—forbidden by the ruling in Karo. (This is one reason automobile GPS trackers are often configured not to generate data unless the car is in motion.) It might, however, be technologically feasible in some cases to “filter” such tracking using the known coordinates of public streets, sidewalks, malls, parks, and other non-private spaces. If the Court were to rule against Jones, these would constitute a kind of virtual “green zone,” potentially allowing police to monitor freely, so long as recording automatically ceased whenever a suspect’s phone ventured off the public portions of the map. (A similar rule applies to “pen-register” surveillance of communications metadata: A monitoring device may be used to capture dialed phone numbers without a full Fourth Amendment warrant, but must be designed so as to avoid capturing any communications content—including touchtone digits entered after a call has connected.)

Now let’s consider some different ways the Court could rule in Jones’ favor. The Fourth Amendment prohibits unreasonable seizures as well as searches, and so the Court could take the path suggested by the dissent in Karo (and in Cato’s own amicus brief):

The attachment of the beeper, in my judgment, constituted a “seizure.” The owner of property, of course, has a right to exclude from it all the world, including the Government, and a concomitant right to use it exclusively for his own purposes. When the Government attaches an electronic monitoring device to that property, it infringes that exclusionary right; in a fundamental sense, it has converted the property to its own use. Surely such an invasion is an “interference” with possessory rights; the right to exclude, which attached as soon as the can respondents purchased was delivered, had been infringed. That interference is also “meaningful”; the character of the property is profoundly different when infected with an electronic bug than when it is entirely germ-free.

In a similar spirit, the court could focus, as Justice Brennan’s partial concurrence in Knotts did, on the “physical intrusion of a constitutionally protected area,” which may trigger Fourth Amendment safeguards “even if the same information could have been obtained by other means.” In theory, a ruling on these grounds could raise the bar for physical installation of GPS trackers without affecting cell tracking that involves no physical intrusion. But maybe only in theory.

The wrinkle here is that while normally “search” and “seizure” are separate issues—police may briefly “seize” your laptop while wating for a court order to “search” it, or “search” your property without “seizing”—in this case it seems harder to disentangle the questions. Suppose, for instance, a police officer rudely disposed of his bubblegum by sticking it to your car’s tire or undercarriage. Whatever else we might want to say about this, it strains plausibility to call it a Fourth Amendment seizure. If a GPS tracker is different, it’s precisely because it enables further monitoring—which means the question is likely to be bound up with whether that monitoring itself invades privacy interests. The Court might still want to focus on the “seizure” aspect for the following reason: There are messy arguments (which I’ll examine below) over whether location tracking might be permissible up to a point, and only become a search when it is too protracted or precise, or depending on contingent facts about whether it actually does end up following the suspect into a private space. Ruling that installation of a tracker constitutes a seizure insofar as it creates the capability for more intrusive monitoring by police (and perhaps others with the right equipment) provides a convenient bright line. This kind of reasoning would be unlikely to affect cell tracking, however, where there is no independent invasion of any property interest in the phone that can be distinguished from the monitoring itself.

Next, the court could go the Kyllo route. This case involved use of infrared imaging cameras to detect the telltale heat signature of marijuana grow lamps. As the dissent in that case observed, public evidence that the suspect’s garage was unusually warm could have been obtained by various means that clearly did not offend the Fourth Amendment. Police might, for instance, have observed snow melting more quickly over one part of the roof, and noted this fact as one component of the “probable cause” justifying a physical search warrant. Justice Scalia, writing for the majority, deemed this “quite irrelevant”:

The fact that equivalent information could sometimes be obtained by other means does not make lawful the use of means that violate the Fourth Amendment. The police might, for example, learn how many people are in a particular house by setting up year-round surveillance; but that does not make breaking and entering to find out the same information lawful.

Things get a little bit hairy here: The reasoning in Kyllo leans heavily on the idea that information about the interior of the home is due the very highest level of presumptive deference, and there is perhaps a whiff of circularity to Scalia’s logic. But the core idea is that using sense-enhancing technology beyond what is in general public use may be an offensive means of gathering information, even if the particular information obtained is not categorically private, insofar as it could in principle be observed by unaided senses. Given that many states have either passed explicit laws against nonconsensual GPS tracking, or treat it as a form of “stalking,” it seems unlikely that this type of use of GPS technology would become common among the general public.

While it may seem slightly ad hoc, this sort of “general public use” rule provides a kind of neat Kantian way of solving the notorious problem of legally determining “reasonable expectations of privacy” without risking circularity: If we are not prepared to countenance routine use of a method of information gathering by ordinary citizens, then it violates our “reasonable expectations” even if it might otherwise seem analogous to forms of monitoring that are not searches. This relieves the Court of the responsibility of determining purely on the strength of its own intuitions about which features of a technology are relevant to the Fourth Amendment analysis, or when a method of information gathering is “different enough” from traditional, unaided methods to be treated differently. Instead, the Court can defer to public attitudes as: If this is not a method of observation we’re comfortable with everyone using, we will treat it as a search whether or not we can specify precisely why it is more objectionable than alternative methods that are not searches. We note that the public regards them differently, and treat this as prima facie reasonable.

There are, of course, distinctions we can point to. We’ve already noted that GPS allows more detailed and protracted monitoring than would be practical by physical tailing, even aided by a beeper. But it also, crucially, permits tracking in many situations where, even if a person is technically in a “public” space, a reasonable person would be fairly confident that they were not being monitored. Someone driving deep into remote woods at night, or along an empty desert highway at noon, would often reasonably expect that they were not observed—and might not realistically be subject to unaided observation without making it obvious that they were being followed. Beeper tracking, recall, was only effective in contexts where it would be clear that visual monitoring was probable. Since this difference in contextual expectations would not neatly track the distinction between public and private spaces, it might be enough—bolstered by the rarity and frequent legal disapproval of nonconsensual GPS—to support a general warrant requirement for the class of technologies, without regard to whether a particular instance did or did not entail such a contextual violation.

A Kyllo-like rule that shifted the focus from the intrinsically public or private characteristics of the information obtained to non-standard (and therefore un-”expected”) technological means of monitoring would probably similarly frown on “triggerfish” or “stingray” devices, which enable police to independently pick up radio signals emitted by a phone in order to track location—in much the same way the thermal imaging camera picked up radiation emitted by marijuana lamps within the home. But it would not necessarily create a barrier to the more common form of cell location tracking, involving cooperation from telecommunications companies. That cooperation is normally obtained by means of a court order—but the order is not necessarily (or, indeed, typically) a full Fourth Amendment warrant based on probable cause. This, the Court might argue, is more like detecting the presence of marijuana growing lamps by subpoenaing the billing records from the power company. According to an unfortunate line of Supreme Court rulings, citizens are typically presumed to waive their privacy interest in data held in such corporate records, even though it might constitute a search for police to obtain the same data directly. This logic, however, would only apply to location data that the provider was already in the practice of retaining for ordinary business purposes. If the police wanted to use telecom facilities to generate or retain more precise or detailed location data than was normal, Courts would be more likely to treat that as analogous to direct police monitoring.

Finally, the Court could follow the path carved out by the D.C. Court of Appeals and apply the reasoning of the so-called “Mosaic Theory,” which just to recap briefly, suggests that someone’s “reasonable expectation of privacy” may be violated by the totality of the government’s conduct (in this case, sustained 24-hour surveillance over the course of a month) even if it can be broken up into smaller component observations (following someone during a particular public journey, or for a much shorter period) that would not constitute an invasion of privacy. On this reasoning, neither GPS nor cell tracking would necessarily trigger the Fourth Amendment’s warrant requirement; rather, it would depend on the duration and scope of the monitoring.

While the same distinction between direct surveillance and monitoring via third-party records would still apply, the logic of the Mosaic argument might tend to cut against the implied waiver of privacy rights in third-party records, at least in some cases. That is, one could attempt a parallel argument that even if people knowingly and voluntarily expose approximate information about their cell phone’s location when they use a provider’s network—and even this is frankly dubious—this is not the same as voluntarily exposing a detailed map of their movements, such as might be generated sophisticated triangulation of many particular “check ins.” This type of argument would be weakened when monitoring involved more limited data from a single provider—such as a record of the nearest tower only at times when a call is made or ends. It would have additional force when the data was more detailed, and especially if police aggregated location information from multiple providers—a Verizon phone and a tablet on AT&T’s data network, say—to develop a more precise and detailed map of the target’s movements that would have been available from either provider alone.

Needless to say, adopting this reasoning would have far-reaching and unpredictable implications for many types of government information collection beyond location tracking, and constitute a fairly dramatic shift in Fourth Amendment jurisprudence. Thus, while I believe the logic of the Mosaic Theory is essentially sound, and that it captures an important truth about privacy, I find it extraordinarily unlikely that the Court will take this path—and I’d wager that they’ll look for almost any other principle for regulating location surveillance under the Fourth Amendment other than this one, for fear of creating chaos in the lower circuits.

This has been a long and involved post, so let’s review. I’ve identified four broad approaches the Court could take in this case, each of which have different implications for cell location tracking involving either “stingrays” or telecommunications records.

A ruling that simply rejects Jones’ Fourth Amendment claims would imply that relatively imprecise cell location tracking remains similarly unregulated, but would not affect the fundamental Knotts/Karo distinction between strictly public monitoring and tracking that crossed into private spaces. Thus it would not rule out the possibility that a warrant is required for highly precise location tracking, unless such tracking can be automatically limited to public spaces by some filter technology. An opinion based exclusively on a “seizure” rationale might not affect any type of cell tracking not involving physical intrusion, but any reasoning that found GPS tracking to be a constitutionally significant seizure would also tend to imply a privacy interest in location information. A Kyllo-like rule focusing on unusual (un-”expected”) technological methods of surveillance would almost certainly apply to direct police tracking via stingrays and triggerfish, but might not pose an obstacle to tracking based on telecom records, except when the police ask a telecom to generate or retain more detailed location data than it would for ordinary business purposes. Finally, a ruling relying on the Mosaic Theory—probably the least likely outcome—would not prohibit any location tracking technology per se, but require a warrant when tracking became more protracted and detailed than would be feasible using physical surveillance teams. There may, of course, be other options I have not considered—and these are not mutually exclusive—but they are the most obvious broad alternative approaches.

As should be apparent, then, the outcome of this location tracking case does not at all predetermine the Court’s response to the more worrying (and likely more pervasive) practice of cellular location tracking. The rationale the Court relies upon here, though, will at least hint at the shape Fourth Amendment regulation of different methods of cell tracking might take.

Gaming Out the Supreme Court GPS Tracking Case is a post from Cato @ Liberty - Cato Institute Blog

Tattoo it on your forearm—or better, that of your favorite legislator—for easy reference in the next debate over wiretapping: government surveillance is a security breach—by definition and by design. The latest evidence of this comes from Germany, where there’s growing furor over a hacker group’s allegations that government-designed Trojan Horse spyware is not only insecure, but packed with functions that exceed the limits of German law:

On Saturday, the CCC (the hacker group) announced that it had been given hard drives containing “state spying software,” which had allegedly been used by German investigators to carry out surveillance of Internet communication. The organization had analyzed the software and found it to be full of defects. They also found that it transmitted information via a server located in the United States. As well as its surveillance functions, it could be used to plant files on an individual’s computer. It was also not sufficiently protected, so that third parties with the necessary technical skills could hijack the Trojan horse’s functions for their own ends. The software possibly violated German law, the organization said.

Back in 2004–2005, software designed to facilitate police wiretaps was exploited by unknown parties to intercept the communications of dozens of top political officials in Greece. And just last year, we saw an attack on Google’s e-mail system targeting Chinese dissidents, which some sources have claimed was carried out by compromising a backend interface designed for law enforcement.

Any communications architecture that is designed to facilitate outsider access to communications—for all the most noble reasons—is necessarily more vulnerable to malicious interception as a result. That’s why technologists have looked with justified skepticism on periodic calls from intelligence agencies to redesign data networks for their convenience. At least in this case, the vulnerability is limited to specific target computers on which the malware has been installed. Increasingly, governments want their spyware installed at the switches—making for a more attractive target, and more catastrophic harm in the event of a successful attack.

The Lives of Others 2.0 is a post from Cato @ Liberty - Cato Institute Blog